WEBVTT

1
00:00:00.000 --> 00:00:01.380
In this lesson,

2
00:00:01.380 --> 00:00:04.230
we will learn about segmentation.

3
00:00:04.230 --> 00:00:06.750
Segmentation is dividing a network

4
00:00:06.750 --> 00:00:09.660
into distinct zones or segment

5
00:00:09.660 --> 00:00:13.620
to control and limit access between different areas.

6
00:00:13.620 --> 00:00:15.450
This enhances security

7
00:00:15.450 --> 00:00:18.330
and reduces the network attack surface.

8
00:00:18.330 --> 00:00:20.820
A specific type of segmentation,

9
00:00:20.820 --> 00:00:23.190
known as micro-segmentation,

10
00:00:23.190 --> 00:00:27.030
takes this approach further by creating even smaller,

11
00:00:27.030 --> 00:00:31.620
more granular segments within each larger network segment.

12
00:00:31.620 --> 00:00:36.390
Let's learn more about segmentation and micro-segmentation.

13
00:00:36.390 --> 00:00:39.450
First, we have segmentation,

14
00:00:39.450 --> 00:00:42.660
but before segmenting your networks and servers,

15
00:00:42.660 --> 00:00:45.450
it's important to map out your data zones

16
00:00:45.450 --> 00:00:47.730
through data topology mapping.

17
00:00:47.730 --> 00:00:51.570
Data topology defines and classifies data

18
00:00:51.570 --> 00:00:56.570
based on its users, constraints, flow, and importance.

19
00:00:57.000 --> 00:00:59.520
By categorizing data into zones,

20
00:00:59.520 --> 00:01:03.180
like financial data or proprietary data,

21
00:01:03.180 --> 00:01:06.540
organizations can apply specific protections

22
00:01:06.540 --> 00:01:10.830
and security policies to each zone that is mapped out.

23
00:01:10.830 --> 00:01:13.170
For example, financial data

24
00:01:13.170 --> 00:01:15.750
may need to comply with regulations

25
00:01:15.750 --> 00:01:19.140
like the Payment Card Industry Data Security Standard,

26
00:01:19.140 --> 00:01:21.210
or PCI DSS,

27
00:01:21.210 --> 00:01:23.190
while proprietary data

28
00:01:23.190 --> 00:01:25.890
may have custom protection requirements

29
00:01:25.890 --> 00:01:28.980
based on organizational policies.

30
00:01:28.980 --> 00:01:32.040
Segmentation allows an organization

31
00:01:32.040 --> 00:01:34.200
to focus security efforts

32
00:01:34.200 --> 00:01:37.530
on the areas of their highest need.

33
00:01:37.530 --> 00:01:40.200
When segmenting enterprise networks,

34
00:01:40.200 --> 00:01:44.730
cloud environments offer region-based segmentation.

35
00:01:44.730 --> 00:01:47.010
This means that cloud providers

36
00:01:47.010 --> 00:01:51.870
allow you to store data in specific geographic locations,

37
00:01:51.870 --> 00:01:56.160
providing regional segmentation for data protection.

38
00:01:56.160 --> 00:01:59.910
This is useful for multinational organizations

39
00:01:59.910 --> 00:02:01.470
that must store data

40
00:02:01.470 --> 00:02:04.680
in compliance with regional regulations.

41
00:02:04.680 --> 00:02:08.940
In addition, availability zones within cloud regions

42
00:02:08.940 --> 00:02:12.510
provide redundancy and failover protection.

43
00:02:12.510 --> 00:02:15.000
For example, within a region,

44
00:02:15.000 --> 00:02:17.400
multiple availability zones

45
00:02:17.400 --> 00:02:22.400
ensure that if one zone goes down, the others remain online,

46
00:02:22.560 --> 00:02:25.620
keeping critical services available.

47
00:02:25.620 --> 00:02:29.250
This is a type of network segmentation.

48
00:02:29.250 --> 00:02:32.760
Cloud providers also offer segmentation

49
00:02:32.760 --> 00:02:37.380
through Virtual Private Cloud, or VPC, for AWS,

50
00:02:37.380 --> 00:02:42.380
or Virtual Network, or VNet, for Azure implementations.

51
00:02:42.480 --> 00:02:44.910
These tools allow organizations

52
00:02:44.910 --> 00:02:48.900
to create private segmented networks in the cloud

53
00:02:48.900 --> 00:02:51.780
or extend their on-premises networks.

54
00:02:51.780 --> 00:02:56.010
Subnets, security groups, and network access control lists

55
00:02:56.010 --> 00:02:59.310
can be used to control the flow of traffic

56
00:02:59.310 --> 00:03:02.610
in and out of these cloud-based networks,

57
00:03:02.610 --> 00:03:07.610
providing granular control over network access and security.

58
00:03:07.770 --> 00:03:10.110
Network access control lists

59
00:03:10.110 --> 00:03:12.630
are applied at the subnet level,

60
00:03:12.630 --> 00:03:17.490
filtering traffic based on predefined allow or deny rules,

61
00:03:17.490 --> 00:03:20.280
similar to access control lists.

62
00:03:20.280 --> 00:03:23.430
Organizations may also use segmentation

63
00:03:23.430 --> 00:03:25.770
within internal environments,

64
00:03:25.770 --> 00:03:30.510
such as production, staging, and guest environments.

65
00:03:30.510 --> 00:03:33.660
Production environments are the live systems

66
00:03:33.660 --> 00:03:35.430
used by customers.

67
00:03:35.430 --> 00:03:39.810
Staging environments are used for testing before going live.

68
00:03:39.810 --> 00:03:43.410
A guest environment is another form of segmentation

69
00:03:43.410 --> 00:03:45.090
used for visitors,

70
00:03:45.090 --> 00:03:48.360
granting them limited access to the network

71
00:03:48.360 --> 00:03:51.510
without exposing internal resources.

72
00:03:51.510 --> 00:03:55.260
These segmented environments help control access

73
00:03:55.260 --> 00:03:57.540
and protect critical systems

74
00:03:57.540 --> 00:04:01.680
by limiting what resources users can interact with.

75
00:04:01.680 --> 00:04:04.800
Finally, peer-to-peer segmentation,

76
00:04:04.800 --> 00:04:08.010
which is less common in enterprise environments

77
00:04:08.010 --> 00:04:10.440
because it lacks the granular control

78
00:04:10.440 --> 00:04:12.660
of more advanced segmentation methods,

79
00:04:12.660 --> 00:04:16.800
allows devices to connect directly to each other.

80
00:04:16.800 --> 00:04:20.580
This direct connectivity is hard to secure,

81
00:04:20.580 --> 00:04:24.210
so if peer-to-peer communication is necessary,

82
00:04:24.210 --> 00:04:28.200
it can be segmented using a virtual local area network

83
00:04:28.200 --> 00:04:29.880
in a traditional network,

84
00:04:29.880 --> 00:04:33.270
or a virtual private cloud and virtual network

85
00:04:33.270 --> 00:04:35.460
in cloud-based environments.

86
00:04:35.460 --> 00:04:38.820
Second, we have micro-segmentation.

87
00:04:38.820 --> 00:04:41.910
Micro-segmentation creates smaller zones

88
00:04:41.910 --> 00:04:44.820
within data centers and cloud environments

89
00:04:44.820 --> 00:04:47.730
to isolate workloads from each other

90
00:04:47.730 --> 00:04:50.040
and secure them individually.

91
00:04:50.040 --> 00:04:54.270
This allows system administrators to set policies

92
00:04:54.270 --> 00:04:58.050
that limit traffic between different parts of the network

93
00:04:58.050 --> 00:05:00.600
using a zero trust approach.

94
00:05:00.600 --> 00:05:02.580
With micro-segmentation,

95
00:05:02.580 --> 00:05:06.060
administrators can apply security policies

96
00:05:06.060 --> 00:05:09.540
based on server roles, application tags,

97
00:05:09.540 --> 00:05:11.460
and security templates.

98
00:05:11.460 --> 00:05:13.320
This method ensures

99
00:05:13.320 --> 00:05:16.590
that even if an attacker breaches one system,

100
00:05:16.590 --> 00:05:20.430
they are confined to that specific micro-segment

101
00:05:20.430 --> 00:05:24.300
and cannot move freely across the entire network.

102
00:05:24.300 --> 00:05:28.560
For example, imagine you have two different applications

103
00:05:28.560 --> 00:05:30.960
running in your cloud environment,

104
00:05:30.960 --> 00:05:34.020
like a database and a web server.

105
00:05:34.020 --> 00:05:35.940
With micro-segmentation,

106
00:05:35.940 --> 00:05:39.330
even if an attacker gains access to the web server,

107
00:05:39.330 --> 00:05:42.780
they will be isolated within that specific zone

108
00:05:42.780 --> 00:05:45.600
and will not be able to reach the database

109
00:05:45.600 --> 00:05:47.730
or other critical systems.

110
00:05:47.730 --> 00:05:51.480
This reduces the chances of widespread damage

111
00:05:51.480 --> 00:05:55.440
and makes it easier to contain security incidents.

112
00:05:55.440 --> 00:05:58.230
Micro-segmentation also provides

113
00:05:58.230 --> 00:06:00.600
full accountability and control,

114
00:06:00.600 --> 00:06:05.010
with an automatic audit trail for every action taken.

115
00:06:05.010 --> 00:06:09.690
So remember, segmentation divides a network

116
00:06:09.690 --> 00:06:11.640
into distinct zones

117
00:06:11.640 --> 00:06:15.930
to control and limit access between those different areas,

118
00:06:15.930 --> 00:06:19.920
improving security and reducing the attack surface.

119
00:06:19.920 --> 00:06:23.760
Micro-segmentation takes this approach further

120
00:06:23.760 --> 00:06:25.710
by creating even smaller,

121
00:06:25.710 --> 00:06:29.310
more granular zones within a larger network.

122
00:06:29.310 --> 00:06:33.540
With micro-segmentation, security policies can be applied

123
00:06:33.540 --> 00:06:35.910
at a very detailed level,

124
00:06:35.910 --> 00:06:39.990
isolating workloads and preventing unauthorized movement

125
00:06:39.990 --> 00:06:41.580
across the network.

126
00:06:41.580 --> 00:06:45.690
This enhances control and minimizes risks

127
00:06:45.690 --> 00:06:50.040
by restricting access to only specific segments.

128
00:06:50.040 --> 00:06:53.550
Both segmentation and micro-segmentation

129
00:06:53.550 --> 00:06:57.180
are key tools for maintaining strong security

130
00:06:57.180 --> 00:07:00.183
in complex network environments.