This blog post is related to my research into segmentation. More specifically, what the differences are between macro- and microsegmentation, and the levels of granularity in between, which I call mesosegmentation.
Please fill in the survey on what you think of these levels of segmentation! It helps my research tremendously: Link to the Google Forms (no sign in required!).
Macrosegmentation
Macrosegmentation is separation based on VLANs, networks or other large, sweeping distinctions. Examples include different business units, departments, or other broad functionality. Usually this is done on the physical routing and switching infrastructure with a gateway firewall at each boundary, rather than using distributed firewalling.
Mesosegmentation – Environments
Environment separation is based around production, development, staging, or otherwise large distinctions within the datacenter. Provides high-level separation based upon risk and requirements for each of the environments.
Separation can also be for environments such as VDI, or maybe PCI compliant resources versus those that aren’t. Or for a hospital environment resources that house patient information and those that need to access them.
Mesosegmentation – Applications
Application separation is based around the functionality that a workload provides. Access to each application is arranged to all workloads within equally. This means that in order to give access to the application, you give access to ALL VMs within that application segment.
Mesosegmentation – Tiers
Tier separation is done within the application based around the 3-tier model so often found in the literature. Usually follows separation around frontend, middleware, backend or database. Workloads within each tier have free-flowing access.
This allows for access specifically to VMs that serve one aspect of the application, rather than to the application as a whole.
Microsegmentation
Microsegmentation involves separating each individual workload, even within an application tier. Access can be granted to each individual VM, but requires the creation of unique rules for each of those flows.
The original article was posted on: significant-bit.com