Inquiries about microsegmentation (also called Zero Trust segmentation) have been rising steadily, especially since the start of the year. This is great, because it means people are getting serious about Zero Trust (microsegmentation is the super-serious part). All these phone calls are prompting me to share my latest thoughts on the subject, so here we go.
Last year, we released an evaluative report on microsegmentation solutions (see The Forrester New Wave™: Microsegmentation, Q1 2022) that included the vendors Akamai Technologies (Guardicore), Aruba, Avocado Systems, Cisco, ColorTokens, Illumio, Sangfor Technologies, Unisys, and VMware. The interactions from those customer references, and from many of my client inquiries over the years, informed a later report, titled Best Practices For Zero Trust Microsegmentation.
More Plot Twists Than An M. Night Shyamalan Flick
In the best-practices report, I make three bold takes. I still hold to these, but there have been some significant plot twists that actually make the story even better today than it was 18 months ago.
Eighteen months is also significant because I’ve taken not one but two paternity leaves in that time. It’s almost like baby humans take 18/2 months to create.
Bold Take #1. Host-level enforcement is the least glamorous but gives the best outcome. As I wrote in “Best Practices,” agent fatigue is real. Installing yet another security agent on servers and laptops fatigues the organization, so of course security professionals would like to reach for infrastructure solutions to leverage network switches or hypervisors to do the heavy lifting. But as I found in my research, the infrastructure isn’t up to the job. In fact, the infrastructure is the problem (built on implicit trust). The best chance of getting a good outcome is to hold your nose and install those security agents on each device that will participate in the scope. But hold on (plot twist coming)!
Plot twist: You can now get host-based enforcement without the agent. Two newish entrants into the microsegmentation space, Zero Networks and TrueFort, get you host-level granularity without installing agents. Zero Networks does it by programming the host firewalls externally (via Windows Remote Control, SSH and JAMF, and Intune, depending on the target OS). TrueFort integrates with the CrowdStrike or SentinelOne agent you already have — for customers with those endpoint security agents, it’s a no-brainer. Note: We have not evaluated either solution.
Bold Take #2. Microsegmentation is a data-center conversation. Enforcing explicit network policy around critical applications is obvious, and that’s where nearly every single deployment of microsegmentation that I’ve ever heard of is happening. Cloud and workstation were supposed to be the next frontiers, but I’ve not seen adoption in either yet. For apps in the public cloud, I suspected that microsegmentation will be done differently there, because unlike on-premises, public cloud has a “programmable plane” — some call it infrastructure as code, and some just say “terraform.”
Plot twist: At RSA 2023, I had dinner with a new acquaintance, and this topic came up. Terraform is literally how his team is doing it. Where before I would have said, “Don’t DIY your microsegmentation!” that’s how people are doing it right now in the cloud. Will it scale?
Bold Take #3. Wrap microsegmentation with ZTNA to get a crunchy microperimeter. Remember the pandemic? I know — I’m trying to forget, too. Zero Trust Network Access (ZTNA) was all the rage then, and we put out an evaluative, comparative report on ZTNA (see The Forrester New Wave™: Zero Trust Network Access, Q3 2021). ZTNA is the other, prettier ZT technology, but it’s definitely a layer 7 (users) solution, whereas microsegmentation, the way we define it, is layer 3 and 4 (TCP/IP all the way, baby). ZTNA and microsegmentation solved different security problems, but unlike peanut butter and chocolate, they didn’t just “go together.” And while everyone was remote, it didn’t matter so much.
Plot twist: ZTNA and microsegmentation actually do go together, and they form a microperimeter. There should be a smaller perimeter within which microsegmentation is applied, and the only way that user connections get into that perimeter is via ZTNA, which can verify identities. The servers within the microperimeter trust only the tiers of their application stack and the ZTNA gateway. This setup avoids you having to deploy agents and sensors onto all the user workstations (no one was doing that anyway).
Only a handful of vendors sell both ZTNA and microsegmentation, and in most cases, they built one and acquired the other. Akamai had ZTNA and bought market leader Guardicore. VMware bought Nicira (now NSX) and could combine it with its Secure Access. Zscaler has ZPA and bought Edgewise. Fortinet bought ShieldX and is building its ZTNA. ColorTokens is one vendor that built both.
I See Dead Routes, Everywhere
If you find yourself split on how to approach ZTNA and microsegmentation, you’re not alone. Enterprises, and vendors, have approached these separately, but the next frontier is to combine them.
Similar to the reveal in M. Night Shyamalan’s “The Sixth Sense,” if what is missing for you is having an interested third party to witness and advise your Zero Trust journey, please reach out and schedule an inquiry or guidance session, and I will show you the “Signs” that you may be missing.