Segmentation divides a computer network into smaller parts. The purpose is to improve network performance and security. Other terms that often mean the same thing are network segregation, network partitioning, and network isolation.
Segmentation works by controlling how traffic flows among the parts. You could choose to stop all traffic in one part from reaching another, or you can limit the flow by traffic type, source, destination, and many other options. How you decide to segment your network is called a segmentation policy.
Imagine a large bank with several branch offices. The bank's security policy restricts branch employees from accessing its financial reporting system. Network segmentation can enforce the security policy by preventing all branch traffic from reaching the financial system. And by reducing overall network traffic, the financial system will work better for the financial analysts who use it.
Some traditional technologies for segmentation included internal firewalls, and Access Control List (ACL) and Virtual Local Area Network (VLAN) configurations on networking equipment. However, these approaches are costly and difficult.
Today, software-defined access technology simplifies segmentation by grouping and tagging network traffic. It then uses traffic tags to enforce segmentation policy directly on the network equipment, yet without the complexity of traditional approaches.
Microsegmentation uses much more information in segmentation policies like application-layer information. It enables policies that are more granular and flexible to meet the highly-specific needs of an organization or business application.
Segmentation reduces network congestion. For example, a hospital's medical devices can be segmented from its visitor network so that medical devices are unaffected by web browsing.
Segmentation improves cybersecurity by limiting how far an attack can spread. For example, segmentation keeps a malware outbreak in one section from affecting systems in another.
Segmentation can stop harmful traffic from reaching devices that are unable to protect themselves from attack. For example, a hospital's connected infusion pumps may not be designed with advanced security defenses. Network segmentation can stop harmful Internet traffic from ever reaching them.
Segmentation reduces the costs associated with regulatory compliance by limiting the number of in-scope systems. For example, segmentation separates the systems that process payments from those that don't. That way, the expensive compliance requirements and audit processes apply only to the in-scope systems, not the entire network.