Forrester’s best practices for zero-trust microsegmentation

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 — 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Most microsegmentation projects fail for various reasons, including over-optimistic planning, improper execution, analysis paralysis, lack of a nontechnical business driver, and more. Forrester’s recent report, Best Practices For Zero Trust Microsegmentation [$], explains why most zero-trust microsegmentation projects are failing today and what CISOs, CIOs and their teams can do to improve their odds of success. 

Microsegmentation is one of the core components of zero trust, based on the NIST SP 800-207 Zero Trust Architecture. Network segmentation segregates and isolates segments in an enterprise network to reduce attack surfaces and limit the lateral movement of attackers on a corporate network.

Why many microsegmentation projects fail 

Of 14 microsegmentation vendors referenced in the report who tried to secure their private networks with limited segmentation, or by adopting a network access control (NAC) solution, 11 failed. 

The report explains why on-premises networks are the hardest operational domains to secure, and how implicit trust makes a typical greenfield IP network especially vulnerable to attack. And now, with more people in virtual workforces than ever before, the increased prevalence of dynamic host configuration protocol (DHCP) has made these networks even more insecure. 

Implicit trust also permeates many on-premises private networks, making them especially vulnerable to ransomware attacks. In addition, according to the Forrester study, IT and security teams are finding that taking a manual approach to advanced network segmentation is beyond their capability.  

As a result, most enterprises have a limited understanding and visibility of their network topology and rely on spreadsheets to track which assets are on the network. “The lack of visibility is a common theme for many organizations with an on-premises network. Most organizations don’t understand where their high-value data is and how it moves around. And the vast majority of organizations we talk to do not do sufficient data discovery and classification, both of which are needed to some extent for a proper microsegmentation project. Just knowing what data you have and where it lives is a hard problem to solve,” David Holmes, senior analyst at Forrester and author of the report, told VentureBeat. 

Because IT and security teams are overwhelmed with work already, it’s not feasible to manually segment and firewall applications. Forrester also observes that the vision of using software-defined, intent-based access being promoted by infrastructure vendors isn’t working as expected for any organization.

CIOs and CISOs getting it right do these things 

Forrester found that the security leaders who are succeeding with microsegmentation projects concentrate on factors that reduce roadblocks to successful implementations while strengthening their zero-trust framework. 

Invest the time to get data classification and visibility right

CIOs told Forrester that they are using data classification as a dependency for zero-trust projects to know what they’re trying to protect. CIOs also confided in Forrester that their organizations have little ability to discover new or complex data at scale and categorize it successfully. 

While these organizations have data categorization and classification policies, they aren’t regularly enforced. CIOs and their teams who excel at data classification and visibility have a higher success rate with microsegmentation. 

Microsegmentation needs to be a primary security control for local networks 

Forrester found that CIOs and CISOs who removed any potential of implicit trust connections between identities and machine-to-machine identities were the most successful with delivering results from their microsegmentation projects.

There needs to be strong buy-in for zero trust corporate wide 

The more committed that enterprises and C-level executives are to continually refining and improving their zero-trust framework, the more successful their CIOs and CISOs are in getting obstacles out of the way.

One of the greatest obstacles security leaders face is successfully getting microsegmentation to work on on-premises networks, many of which rely on interdomain trust relationships and legacy network controllers from decades ago. As a result, they are a favorite target for ransomware and cyberattacks because cybercriminals can exploit implicit trust gaps easily. When zero trust has strong corporate support, CIOs and CISOs get the budget and support to close implicit trust gaps quickly to achieve microsegmentation. 

Forrester’s best practices  

Enterprises are rushing into microsegmentation projects and not taking the time to plan them out first. Forrester’s findings imply that enterprises are attempting to get microsegmentation to work with on-premises networks without first identifying where roadblocks are – or worse, not getting C-level support to remove obstacles once they’re found during implementation. 

Based on interviews completed with enterprises at varying levels of success with microsegmentation projects, Forrester has devised the following six steps:

Forrester recommends enterprises consider these six steps of microsegmentation to streamline large-scale implementation projects.

Forrester’s best practices for microsegmentation include the following: 

C-level champions make a big difference in microsegmentation success

Forrester’s first best practice is cultivating a C-level champion to have the support needed to overcome political hurdles. From personal experience on cybersecurity projects, C-level executives can remove obstacles within hours; it would take directors or managers weeks or months to get done. They also need to be vocal in their support of zero-trust microsegmentation and explain why getting it right reduces the most severe risks the company will face.

Classify your data 

Forrester advises their clients to get data classified before implementing microsegmentation projects. Otherwise, there isn’t a clear idea of just what is being secured or not. A consistent taxonomy and approach to categorizing data is essential for microsegmentation to work. Forrester’s report shows the value of taking time early on to complete this best practice, as it increases the probability of success for a microsegmentation project.

Collect network traffic and asset information

Forrester observes that it’s best to use the sensors in microsegmentation platforms to collect network traffic in monitoring mode, integrating the collected data in a configuration management database (CMDB) and analyzing it with asset inventory tools. Defining policies for ensuring the accuracy of the CMDB and using its IP address management (IPAM) is a core part of this best practice and contributes to an effective zero-trust framework.

Analyze and prioritize suggested policy

Testing for false positives and anomalies using the automated modeling capabilities included in microsegmentation systems is another best practice Forrester recommends. CISOs and CIOs have told VentureBeat in the past that they need to store more flow data to gain greater insights into telemetry data. As with any of these best practices, they become the most valuable when used for closing implicit trust gaps across on-premises corporate networks.

Get application owners involved early

It’s essential from a change management standpoint and a best practice to get the line of business owners of mission-critical applications’ support for segmentation policies. They’re going to be the most concerned about how microsegmentation may impact the business logic of their applications, and will want to work with you to reconcile the suggested segmentation policy with their applications. Forrester recommends bringing reports that include applications, topologies, server inventories and owner lists to the relevant departments and soliciting exception requests for required connections like backups, vulnerability management, scanning and administration.

Get quick wins first before attempting microsegmentation

Forrester’s Holmes advises enterprises implementing zero-trust programs to approach microsegmentation toward the middle or end of their roadmap. “Other zero-trust projects, like centralizing identity, rolling out single sign-on (SSO) and implementing multifactor authentication (MFA) have higher visibility across the organization and are more likely to succeed quickly,” Holmes says.

Getting a series of quick wins early on a large-scale security project is essential to protecting and growing the budget. “Quick (and broadly visible) wins are important in a long security project if for no other reason than to keep the budget coming. Microsegmentation projects require mindfulness and discipline, and when executed properly, no one notices when [they’re] working,” Holmes told VentureBeat. 

When a microsegmentation project falters or fails, it immediately causes outages, service tickets and headaches for IT and security teams. Holmes says Forrester’s clients understand this and when they’re surveyed about their top IT security priorities for the next 12 months, microsegmentation isn’t usually in the top 10 yet. However, with these best practices, companies who do plan on implementing microsegmentation within the near future can hopefully have greater success with fewer disruptions.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.