Choose Your (Microsegmentation) Weapon
At ColorTokens, we’re proud that our Xshield Enterprise Microsegmentation PlatformTM has been included in the 2025 Constellation Research Shortlist for Microsegmentation. This report benefits CISOs and CIOs by narrowing their search for a microsegmentation solution to six leading vendors, potentially saving them time in the selection processes and increasing their success rate in implementing their zero trust security project with a strong technology solution.
Of course, the report still leaves some evaluation work to do before choosing one of the shortlisted solutions. This begs the question, how should a tech leader decide which of the six solutions best fit their particular needs and network environment? After all, the microsegmentation vendors wouldn’t be on Constellation’s Shortlist if they didn’t work, but some are better suited to certain use cases and enterprise architectures.
The Shortlist companies have different architectural approaches to solving the problem of zero trust microsegmentation; and as in any technical architecture decision, there are pros and cons, benefits and tradeoffs.
One way to think about how a microsegmentation solution will best fit into your enterprise landscape is to consider the policy decision point and the policy enforcement points the solution employs. The benefit of microsegmentation is about stopping the lateral movement of an attack by enforcing traffic policies using enforcement points in the landscape.
One of the solutions on the Shortlist, Elisity, enforces policies directly on the network switches, and its control software may run in an external VM or directly on the switch’s application platform. This offers benefits in granular switch-level traffic controls, but beware, it also means that there is a very specific list of switch brands, models and even firmware versions on which the solution can run. If your switch hardware is a couple of years old, this could require a very expensive upgrade cycle to the newer modern switches on the list. If all your switch hardware is one of the dozen or so supported switch models, no problem, you can implement this method. Of course, you will have to be sure that you will satisfy any dependencies for upgrades to the firmware as required by new releases of the microsegmentation vendor in the future. Also, you are consuming the processing power on the switch CPU so that it may not have the capacity to run other management utilities you want to load on those switches.
Another of the solutions, Zscaler, controls lateral movement by routing all traffic through their proprietary communications connector. While this does provide effective enforcement of zero trust traffic policies, since all traffic must go through the connector, it introduces a new point of failure, which would require a replication strategy. Some organizations will be uncomfortable with the idea that the solution’s communications broker is in the critical path for all communications in their enterprise. Since there are no point-to-point communications, if it goes down, their enterprise business processes are shut down for the duration. This architectural approach also introduces latency, however small, because every communication must be backhauled through the connector. Finally, there are cost considerations; high bandwidth systems will need bigger and beefier VMs to run the proprietary connector, and there may also be increased connector pricing for larger throughput environments.
The other four short-listed solutions use a cloud engine for policy management and software installed on the servers and workstations on-premise to enforce traffic policies. This involves a scope of effort to install this software, and, in some organizations, installation will involve cooperation between the security team and the network infrastructure team, which may be a cultural challenge.
These solutions leverage cloud-native controls as enforcement points for cloud workloads in AWS, GCP, and Azure. Some of them can enforce policy for Kubernetes containers as well.
In these four solutions’ architectures, the cloud-based SaaS policy engine is not in the critical path for communications. If the engine is down or internet connectivity to it fails, your enterprise continues to operate with the zero trust policies that were last configured still in force.
One of the solutions in this category, Akamai-Guardicore, installs a proprietary firewall on the hosts in the environment. The other three, ColorTokens Xshield, Illumio, and Cisco CSW, use lightweight agents that transmit firewall rules to the built-in firewalls in Windows (WFP), Linux (IPTables), and macOS. One downside of the proprietary firewall approach is that sticklers for the Zero Trust standard described in NIST special publication 800-207 interpret it as encouraging the leveraging of standard architecture components and discouraging proprietary solutions and vendor lock-in (discussed in section 5.6 of the Zero Trust Architecture document.) Using a proprietary firewall installed on every host also introduces complications during the normal operating system upgrade cycle. The proprietary firewall may need to be patched or reinstalled when the OS is upgraded. The API interfaces to the native host firewalls that the agent-based approach uses are typically more stable by design and don’t change with OS upgrades.
Of the agent-based solutions, ColorTokens Xshield has an architectural advantage if your enterprise landscape includes Internet-of-Things devices or Operational Technology/Cyber-Physical Systems. Modern enterprises increasingly include these types of devices, which are often undefended. With their plethora of networked medical devices, healthcare organizations are especially vulnerable to OT/IoMT attacks. With Xshield, manufacturing firms can have a unified approach to microsegmentation for both their IT network and their industrial control systems. ColorTokens has taken pains to be a comprehensive microsegmentation solution covering your IT, IoT, and OT networks. The philosophy is that it doesn’t matter how good the lock is on the gate; if it’s not connected to a continuous fence, the hackers will just walk around the gate.
Access Report | Know why ColorTokens is named a ‘Leader’ in the Forrester Wave for microsegmentation solutions report, with top ratings across 11 categories.
ColorTokens has an agentless Gatekeeper appliance that is the default gateway for IoT and OT devices on which you cannot install an agent. This is important because hackers increasingly breach the enterprise by exploiting devices such as smart TVs, surveillance cameras, and physical access control devices. The other vendors in the category don’t have a native solution to enforce traffic policies on these devices; they partner with third-party solutions to cover them. This leads to a more complex microsegmentation solution with multiple management consoles, greater cost, and the chance for an error in policy definition across the disparate systems. The Xshield Gatekeeper appliance may be installed on the shop floor as a discrete device, or it can be installed in the data center as a virtual machine. This later deployment style is useful in enforcing microsegmentation policy on legacy operating system devices that are out-of-support, unpatched, and cannot support an agent.
We hope this breakdown of the different architectural approaches to microsegmentation is helpful in determining which solution would best fit your enterprise landscape and your security priorities. If you would like to discuss this with our expert solutions team, we’re at your service: www.colortokens/contact-us
The post Choose Your (Microsegmentation) Weapon appeared first on ColorTokens.
*** This is a Security Bloggers Network syndicated blog from ColorTokens authored by Bob Palmer. Read the original post at: https://colortokens.com/blogs/constellation-research-shortlist-microsegmentation-vendors/
