How to Avoid These Five Common, but Costly Micro-Segmentation Mistakes - Part 3

Erik Giesa

Mistake #3: Separating Cloaking, Connectivity, and Encryption


A workable and effective solution for micro-segmentation comes down to the following simple mathematical formula:

Cloaking + Connectivity + Encryption = Successful Micro-Segmentation Solution (SMSS)

Take away any of those three critical elements and the formula just doesn’t work.

For instance, if cloaking is absent, your network remains highly vulnerable to hacker reconnaissance and intrusion discovery points. When connectivity is an issue, you risk loss of productivity or outright downtime if proper failover is also a problem. Lastly, segmentation without encryption just makes no sense at all.

After all, what good is the ability to isolate your network down to the device level, if there’s no safe keeping of the endpoints? That’s like online banking without passwords, not requiring age verification to buy liquor, or operating a United States Military Abrams M1A2 tank with no armor (for pics and detailed levels of technological awesomeness of this beast, click here).

When approaching a micro-segmentation solution for your organization, be comprehensive and make sure the project includes all three elements critical to a workable solution: cloaking, connectivity, and encryption.

Position yourself for success by asking some key questions.

How does the proposed solution authenticate, authorize, and account for connections between endpoints?

A session between two endpoints should only be established after the connection has been transparently authenticated, authorized, and accounted for. If authorization is not granted for any reason, the endpoints should not connect and should remain invisible to one another.

No connection + No visibility (cloaking) = No authorization

Is human intervention required to establish a session?

If your proposed solution involves human intervention to establish a session, unnecessary cost and complexity is likely to overwhelm your network and the staff managing it—and your budget. Connections should be established with failover protection from anywhere in the world, including endpoints with private IP addresses.

What is required for a solution to overcome Network Address Translation (NAT) and Carrier Grade NAT (CGNAT) connectivity issues?

Most micro-segmentation projects that can’t easily overcome these barriers to connectivity come to a screeching halt or experience significant delays. Connections should be possible with proper authentication between any two endpoints, regardless of which network they reside in. If the proposed solution doesn’t accomplish this, it’s time to consider other options because connectivity issues could cripple your operational efficiency.

Is all data-in-motion encrypted, not only at the perimeter but adjacent to and on endpoints regardless of network or device type?

All data-in-motion should be automatically encrypted at any point in the network. If your proposed solution permits encryption only at the perimeter, you most likely have a firewall, which is a VPN being mistakenly used as a micro-segmentation solution (see Mistake #1 for more info on that bugaboo).

A Well-Tempered Solution

At Tempered Networks, we provide micro-segmentation that effectively cloaks, connects, and encrypts your network. Our solution automatically authenticates endpoints before session establishment with unmatched mobility throughout your entire network environment. NATs and CGNATs pose no barriers to connectivity. And, data-in-motion is encrypted well beyond the perimeter with our Identity Defined Networking (IDN) solution using the state of the art Host Identity Protocol (HIP) technology.

I’ll leave you with one last mathematical formula to consider:


Contact us today to fully customize a micro-segmentation project for your organization that truly understands the comprehensive nature of a well-tempered, successful micro-segmentation solution.