Gartner defines microsegmentation as the ability to insert a security policy into the access layer between any two workloads in the same extended data center. Microsegmentation technologies enable the definition of fine-grained network zones, down to individual assets and applications. Core capabilities include: - Flow mapping, which is the ability to gather and show North/South and East/West traffic flows and use them in the policy definition (it can present this data in a visual manner) - Workload isolation, which is isolation from other workloads based on security policy - Policy enforcement, including the definition of rules based on different factors - The ability to deploy in the virtualized and infrastructure as a service environments Some of the most frequent optional capabilities of microsegmentation technologies include: - Automation of the deployment as part of a continuous integration/continuous deployment (CI/CD) pipeline - Integration with cloud infrastructure to ease deployment, enforce rules or automate policy updates when new assets are deployed - Asset discovery: adjacent to the flow mapping, microsegmentation tools can show more advanced context for the assets - Policy recommendation engine: complementary to the asset discovery, microsegmentation technology can suggest policy rules to authorize discovered flows - Threat detection: based on threat intelligence, layer seven protocol inspection and anomaly detection - Interoperability through direct integration with third-party products, such as a firewall, and hardware, such as switches and routers - Internet of Things (IoT)/operational technology (OT) coverage — the solution supports microsegmentation for IoT/OT infrastructure - Kubernetes/Container coverage — the solution supports microsegmentation for containers/K8s
Gartner defines zero trust network access (ZTNA) as products and services that create an identity and context-based, logical-access boundary that encompasses an enterprise user and an internally hosted application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a collection of named entities, which limits lateral movement within a network.