Network segmentation and microsegmentation are proven security strategies for defending IT network infrastructure from a broad range of threats. By segmenting networks into smaller subnetworks and creating granular security policies for individual workloads, teams have been able to improve network security and to limit the blast radius of successful attacks.

Many security teams mistakenly believe that these same segmentation techniques won’t work in the cloud, due to the dynamic nature and unlimited scalability of cloud computing. However, as the cyberthreat landscape continues to evolve, a growing number of organizations are successfully implementing cloud infrastructure segmentation to protect their digital ecosystems.

Cloud infrastructure segmentation is the practice of dividing a cloud network into smaller, isolated segments or subnetworks. By ensuring the different parts of the network are isolated from each other, IT teams can more effectively control network traffic flows while reducing the attack surface, manage security more easily by minimizing the risk of unauthorized access, and limiting the spread of malware and cyberattacks.

Cloud network segmentation or microsegmentation creates logical boundaries within the cloud infrastructure using techniques and technologies that include virtual local area networks (VLANs), subnets, security groups, and network access control lists (ACLs). By segmenting and isolating individual workloads, applications, and resources, teams can exert granular control over network traffic and security policies while permitting only authorized entities to communicate with and access these assets.

The dynamic nature of the cloud means that cloud workloads may be more susceptible to external threats than on-premises resources are. According to the IBM Cost of a Data Breach Report 2024, 80% of breaches involved data that was stored in public cloud, private cloud, or hybrid cloud environments. As organizations migrate more workloads and applications to the cloud, investments and focus on cloud security will become more pronounced. Cloud infrastructure segmentation provides organizations with a highly effective way to reduce the risk of data breaches as well as the damage of successful cyberattacks.

To segment cloud infrastructure , teams can use virtual networks and subnets for virtual private clouds to dynamically assign new servers, security groups, and users to a new or existing zone within an IT environment. Security groups and network ACLs enable administrators to define rules for inbound and outbound traffic that effectively isolate resources and workloads, and control communication between segments. Firewalls and gateways can inspect network traffic flows and enforce security policies to prevent unauthorized communication.

Because cloud environments are dynamic and rapidly changing, organizations must integrate network security policies into change management technology to automatically track all objects in the network — IP addresses, users, security groups, and tags. A unified segmentation solution that combines controls for the physical network and on-premises data centers with the native controls for a cloud environment is ideal, as teams can automate security policy changes and thoroughly enforce consistent policies across the entire digital footprint.

When segmenting cloud infrastructure, organizations and their IT teams can:

• Improve security posture: Cloud segmentation policies are highly effective at blocking unauthorized access and preventing lateral movement by hackers or malware across an entire network. Segmentation also enables firewalls, security groups, and access controls for each segment to be configured with granular precision.

• Contain threats: When a security breach or malware infection occurs, segmentation successfully contains the threat and limits the blast radius to protect other parts of the network.

• Streamline regulatory compliance: Segmentation enables organizations to comply more easily with regulatory standards — and to demonstrate compliance — by ensuring that sensitive data is isolated and protected by stringent security controls. Many regulatory frameworks such as PCI DSS require segmentation to isolate sensitive data and systems.

• Improve performance: Cloud infrastructure segmentation has the potential to minimize network congestion by restricting network traffic and optimizing traffic flows within each segment.

• Simplify cloud management: Breaking large, complex networks into smaller, more manageable parts makes them easier to manage, simplifying the job of security teams and network administrators.

• Accelerate incident response: Segmentation enhances incident response capabilities by containing breaches to specific segments, alerting teams to potential threats earlier, and reducing the impact on the broader network.

• Protect cloud native architectures: As enterprises adopt cloud native architectures that enable workloads to be more portable, segmentation helps with the essential task of enforcing security policies to protect those architectures.

• Support Zero Trust security: By implementing least-privilege access, cloud infrastructure segmentation helps security teams to embrace a Zero Trust approach to cloud security.

Segmenting cloud infrastructure presents IT teams with several key challenges.

• Complex management tasks: Implementing and managing segmentation policies in multicloud and hybrid cloud environments can be highly complicated.

• Maintaining visibility: Visualizing and tracking segmented networks can be difficult when traffic flows and endpoints are distributed across multiple segments.

• Provisioning boundaries: The dynamic nature of the cloud means that provisioning and managing segment boundaries require constant monitoring and updating, which can strain resources and increase the chances of a misconfiguration that leads to a breach.

• Minimizing impact on performance: Some approaches to segmentation may route traffic through additional security measures and firewalls, potentially having an adverse impact on performance.

• Compatibility between environments: Ensuring compatibility between different cloud providers and on-premises systems is an ongoing challenge.

• Gaps in skills and expertise: Cloud infrastructure segmentation can require specialized knowledge and skills, which may mean additional hires or additional training for in-house security teams.

• Rising costs: The expense of implementing segmentation in a dynamic cloud environment may be high.

To overcome these challenges, IT and security teams require innovative solutions that can seamlessly implement security policy across different infrastructures and leverage automation to minimize the complexity and management burden of segmentation in the cloud.

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.