Why it matters

Traditional network security models have concerned themselves with securing the network perimeter, using technologies such as firewalls to protect the entire network and applying different authentication strategies to ensure that only authorized users and devices pass through that perimeter. But what about a threat that is already inside your network? Microsegmentation is a security strategy that allows you to divide a network into smaller, isolated segments, effectively adding further defensive layers. You can create microsegments around a specific set of resources or services, and then define access controls and security policies that are specific to the resources and services in the microsegment.

Usecases

Reduce your attack surface

Limit the ability of attackers to move through your network for staged attacks, even if they penetrate the outer security perimeter.

Cloud segmentation

Divide a cloud environment into separate parts and improve security by limiting communication between them.

IoT and OT device segmentation

Create distinct zones based on device profiles and then assign network devices to an appropriate zone, applying a Zero-Trust policy at both the LAN and internet layers.

How we do it

The VersaONE Universal SASE Platform allows administrators to place user client devices as well as clientless or headless IoT and OT devices into microsegments. To create a microsegment, you define a policy whose match criteria place a user or device into the microsegment, then you apply policies to restrict or allow traffic.

Importantly, Versa’s microsegmentation is dynamic. It reacts to changes in device posture, a user’s risk score, and other factors, and will accordingly and automatically adjust segments to which a user or device has access. For example, if a microsegmentation policy determines that a device’s antivirus software is not up to date, making the device vulnerable to attack, it can automatically place the device into a quarantined microsegment to ensure that the device cannot communicate with other users or devices in the network. Then, if the device’s antivirus software is upgraded, after the SASE client conveys this information to the first-hop SASE gateway, the microsegmentation policy can move the device into a non-quarantined microsegment.

For headless IoT and OT devices that do not run the Versa SASE client, such as sensors and printers, the VersaONE platform’sautomated device fingerprinting can identify the device based on its model, vendor, and other associated attributes, then place it into the proper microsegment.

What you get

Dynamic Zero-Trust security

The ongoing security posture of devices on the network is monitored and users and devices are automatically placed into different microsegments as the security posture changes.

Policy-based segmentation

Software-defined microsegmentation allows businesses to define network-wide policies that determine who have access to specific microsegments of the network without the limitations of VLANs.

Centralized management and visibility

Controls to create, manage, and monitor microsegments are integrated with network configurations and administrators have real-time visibility into network activity.

Benefits

Centrally manage a unified repository of granular Zero Trust policies that are consistently enforced – across any network, wherever users and devices are located.

Versa’s Zero Trust framework combines with microsegmentation to significantly reduce the risk of breaches and data loss by isolating any compromise and preventing lateral movement in staged attacks.

The VersaONE Universal SASE Platform and its microsegementation capabilities scale automatically and seamlessly according to your needs, without sacrificing performance while enhancing the user app experience.