A Zero Trust Paradox: Which Comes First, Microsegmentation Or Microperimeter?
The common trope, “What came first, the chicken or the egg?” is a question about origins and paradoxical relationships. Security and risk conversations about microsegmentation and microperimeters suffer from a similar dilemma. These two concepts are heavily emphasized in Zero Trust conversations as key components to advance maturity. Security and risk pros confuse the usage of both terms, however, and questions abound about which came first.
So join me on a journey into a wondrous land of information as you enter the Zero Trust zone.
Origins & Misrepresentation
In cybersecurity, the term microsegmentation has become associated with the information security model of Zero Trust. Its intent is to reduce breach impacts through further isolation of sensitive systems and data into a series of protected segments. When Forrester first introduced Zero Trust in 2009, it focused primarily on improving network security. The report No More Chewy Centers: The Zero Trust Model Of Information Security used the term microperimeter to emphasize the need to segment networks with more granularly restricted access to embrace the concept of deperimeterization.
These two terms have been often used interchangeably to describe the outcome that clients are seeking: the desire to protect enterprise resources through Zero Trust. Furthermore, vendors have exacerbated that confusion by marketing technologies that seek to address these concepts yet fail to clearly explain what they do and how.
Three Key Points To Dwell On And To Remember
Both terms have relevance, and both apply to Zero Trust. While microperimeter arguably appeared first at the onset of the Zero Trust information security model, microsegmentation soon overtook and became synonymous with Zero Trust. In 2021, my colleague David Holmes defined microsegmentation to describe how microperimeters can be achieved through an approach that embodied the three principles of Zero Trust: default deny, least privilege, and comprehensive monitoring throughout. It is important that security and risk professionals also understand that:
- Deperimeterization does not mean “kill your firewalls.” This term was commonly used to describe how modern network and security professionals need to deal with the implications of cloud usage, virtualization, software-defined networking, bring-your-own-device, and the proliferation of unmanaged mobile/remote devices. Sole reliance on the “castle” type of traditional network perimeter is obsolete, and security controls must be pushed closer around the “crown jewels.” But as David Holmes points out in his research, “the network firewall continues to be a critical control for organizations that haven’t achieved 100% digital transformation (and most have not).”
- Microsegmentation is the means to an end. To further segment a network into protected segments, software or hardware-based solutions such as enterprise firewalls (or a combination of identity access management, network access controls, Zero Trust network access, or other specialized solutions) are used to create microsegments based on the sensitivity and risk impact of resources while providing layer 7 inspection. Through microsegmentation, security and risk professionals can deploy security controls closer to assets.
- Microperimeters are the outcome. Each microperimeter relies on technology that utilizes microsegmentation techniques to enforce the segmentation and inspection of traffic. Through microperimeters, security and risk professionals have the ability to concentrate on granular security controls to mitigate and protect against attacks. Security controls that empower microperimeters to protect sensitive enterprise resources also increase visibility into how those resources are utilized.
There’s Nothing To Fear: You’re Not In The Twilight Zone
When thinking about microsegmentation versus microperimeter, you may feel like you’re in an episode of “The Twilight Zone.” Fear not, this is not a nightmare at 20,000 feet, and no creature is tearing the wings off your airplane.
Keep in mind that both terms are relevant, and your understanding of them is important. Cut through the fog of confusion on how to accomplish these concepts by reviewing our research, including The Forrester New Wave™: Microsegmentation, Q1 2022 or Best Practices For Zero Trust Microsegmentation, and familiarize yourself on how best to apply microsegmentation to achieve microperimeters.
Of course, if you need more insight or guidance, schedule an inquiry or guidance session with my colleague David Holmes or myself to ensure that your organization is on the right path to maturing your Zero Trust journey.