PECULIARITIES OF DESIGNING NETWORK MICROSEGMENTATION WHEN BUILDING A ZEROTRUST ARCHITECTURE

Abstract

The paper describes approaches to implementing microsegmentation of an organization's corporate network in order to
ensure high-quality access control to its infrastructure elements and improve their management. The implementation of network
microsegmentation to limit horizontal movement between its infrastructure elements is one of the key measures for migrating
to a zero-trust architecture. Microsegmentation ensures optimal network performance and allows for effective management of
access to its resources, both at the edge and inside the network. It also provides an opportunity to isolate critical resources of
the organization from dangerous network connections, which reduces the risk of unauthorized access to them.
The relevance of implementing modern security models requires high-quality planning and design of network
infrastructure microsegmentation. This process causes a change in the network architecture and entails both security
improvements and a number of certain disadvantages associated with increasing the complexity of the topology, and increasing
the cost and complexity of implementation, increasing maintenance costs and further operation of the microsegmented
infrastructure. The study analyzes the advantages and disadvantages of microsegmentation of different granularities. Dense
microsegmentation increases the level of security of the corporate infrastructure as a whole when compromising its individual
elements, while a low-segmented network infrastructure does not require significant resources, is easy to maintain and generally
does not reduce the productivity of the corporate network. A method of analytical design of microsegmentation is proposed
using risk matrices as a tool for assessing corporate systems to determine the required level of security and select the required
size of the microsegment. An example of implementing microsegmentation in a typical infrastructure and the difference in its
topology before and after the change are considered. The reasons and needs for optimizing the initial design of
microsegmentation are analyzed. Options and approaches for optimizing the design of microsegmentation of corporate
infrastructure are considered.
Keywords: microsegmentation, zero trust, network, firewall, infrastructure, granularity

References
1. Ma, M., Yu, Z., & Liu, B. (2023). Automatic Generation of Network Micro-Segmentation Policies for Cloud
Environments. 2023 4th International Seminar on Artificial Intelligence, Networking and Information Technology
(AINIT), 1-5. https://doi.org/10.1109/AINIT59027.2023.10212857.
2. Basta, N., Ikram, M., Kâafar, M., & Walker, A. (2021). Towards a Zero-Trust Micro-segmentation Network
Security Strategy: An Evaluation Framework. NOMS 2022-2022 IEEE/IFIP Network Operations and Management
Symposium, 1-7. https://doi.org/10.1109/NOMS54207.2022.9789888.
3. Noel, S., Swarup, V., & Johnsgard, K. (2021). Optimizing network microsegmentation policy for cyber
resilience. The Journal of Defense Modeling and Simulation: Applications, Methodology, Technology, 20, 57 - 79.
https://doi.org/10.1177/15485129211051386.
4. Mujib, M., & Sari, R. (2020). Performance Evaluation of Data Center Network with Network Microsegmentation. 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), 27-
32. https://doi.org/10.1109/ICITEE49829.2020.9271749.
5. Liu, Y., Liu, G., Du, H., Niyato, D., Kang, J., Xiong, Z., Kim, D., & Shen, X. (2024). Hierarchical MicroSegmentations for Zero-Trust Services via Large Language Model (LLM)-enhanced Graph Diffusion. ArXiv,
abs/2406.13964. https://doi.org/10.48550/arXiv.2406.13964.
6. Mujib, M., & Sari, R. (2020). Performance Evaluation of Data Center Network with Network Microsegmentation. 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), 27-
32. https://doi.org/10.1109/ICITEE49829.2020.9271749.
7. Sheikh, N., Pawar, M., & Lawrence, V. (2021). Zero trust using Network Micro Segmentation. IEEE
INFOCOM 2021 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 1-6.
https://doi.org/10.1109/INFOCOMWKSHPS51825.2021.9484645.
8. Keeriyattil, S. (2019). Microsegmentation and Zero Trust: Introduction. Zero Trust Networks with VMware
NSX. https://doi.org/10.1007/978-1-4842-5431-8_2.
9. Zhang, P., Tian, C., Shang, T., Liu, L., Li, L., Wang, W., & Zhao, Y. (2021). Dynamic access control
technology based on zero-trust light verification network model. 2021 International Conference on Communications,
Information System and Computer Engineering (CISCE), 712-715. https://doi.org/10.1109/CISCE52179.2021.9445896.
10. Sheikh, N., Pawar, M., & Lawrence, V. (2021). Zero trust using Network Micro Segmentation. IEEE
INFOCOM 2021 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 1-6.
https://doi.org/10.1109/INFOCOMWKSHPS51825.2021.9484645.
11. Keeriyattil, S. (2019). Microsegmentation and Zero Trust: Introduction. Zero Trust Networks with VMware
NSX. https://doi.org/10.1007/978-1-4842-5431-8_2.
12. Paul, B., & Rao, M. (2022). Zero-Trust Model for Smart Manufacturing Industry. Applied Sciences.
https://doi.org/10.3390/app13010221.
13. Lei, W., Pang, Z., Wen, H., Hou, W., & Zhang, X. (2023). Edge-enabled Zero Trust Architecture for ICPS
with Spatial and Temporal Granularity. 2023 IEEE 6th International Conference on Industrial Cyber-Physical Systems
(ICPS), 1-6. https://doi.org/10.1109/ICPS58381.2023.10127999.
14. Syrotynskyi, R., Tyshyk, I., Kochan, O., Sokolov, V., Skladannyi, P. (2024). Methodology of network
infrastructure analysis as part of migration to zero-trust architecture (short paper). CSDP-2024: Cyber Security and Data
Protection, June 30, 2024, Lviv, Ukraine, 97-105.
15. Douma, S. (1997). The two-tier system of corporate governance. Long Range Planning, 30, 612-614.
https://doi.org/10.1016/S0024-6301(97)00047-2.
16. Dowling, N., Punt, A., Little, L., Dichmont, C., Smith, D., Haddon, M., Sporcic, M., Fulton, E., & Gorton, R.
(2016). Assessing a multilevel tier system: The role and implications of data quality and availability. Fisheries Research,
183, 588-593. https://doi.org/10.1016/J.FISHRES.2016.05.001.
17. Mujib, M., & Sari, R. (2020). Performance Evaluation of Data Center Network with Network Microsegmentation. 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), 27-
32. https://doi.org/10.1109/ICITEE49829.2020.9271749.
18. Khan, M. (2023). Zero trust architecture: Redefining network security paradigms in the digital age. World
Journal of Advanced Research and Reviews. https://doi.org/10.30574/wjarr.2023.19.3.1785.
19. Sytnik, N., & Kravchenko, M. (2021). Application of knowledge management tools: Comparative analysis of
small, medium, and large enterprises. Journal of Entrepreneurship, Management and Innovation.
https://doi.org/10.7341/20211745.
20. Keeriyattil, S. (2019). Microsegmentation and Zero Trust: Introduction. Zero Trust Networks with VMware
NSX. https://doi.org/10.1007/978-1-4842-5431-8_2.
21. Da Rocha, B., De Melo, L., & De Sousa, R. (2021). Preventing APT attacks on LAN networks with connected
IoT devices using a zero-trust based security model. 2021 Workshop on Communication Networks and Power Systems
(WCNPS), 1-6. https://doi.org/10.1109/WCNPS53648.2021.9626270.
22. Wenxin Lei et al. "Edge-enabled Zero Trust Architecture for ICPS with Spatial and Temporal Granularity."
2023 IEEE 6th International Conference on Industrial Cyber-Physical Systems (ICPS) (2023): 1-6.
https://doi.org/10.1109/ICPS58381.2023.10127999.
23. S. Noel et al. "Optimizing network microsegmentation policy for cyber resilience." The Journal of Defense
Modeling and Simulation: Applications, Methodology, Technology, 20 (2021): 57 - 79. https://doi.org/10.1177/ 1548512-
9211051386.