ARTICLE

Introducing Picosegmentation

Microsegmentation was a good start—now let’s make it more secure and easier to maintain

By Barbara Tallent

By Barbara Tallent

The Introduction of Microsegmentation

Microsegmentation was first introduced around 2014 by VMware. The idea was simple: break up the network into smaller pieces so that if someone gets in, they don’t get everything. Instead of the attacker gaining access to your whole environment, they’re limited to one slice. It was a good idea at the time.

The idea started with the (Swiss) banks and the notion of a “network zoning concept.” The arrival of Software Defined Networking (SDN) presented a much easier way to create and manage all those zones.

Microsegmentation meant defining security around applications, environments, tiers, or groups of people You’d build smaller zones inside your network, often with software firewalls, and then write rules for what could talk to what. It was a step up from broader network segmentation, which mainly divided traffic by subnets or VLANS.

The Limitations of Microsegmentation

To say that microsegmentation is complex at scale is a bit of an understatement. In today’s world where we are constantly adding new IoT devices, AI agents, and AI models, microsegmentation architects must determine for every one of those new elements which segment they live on, who can access them from different segments, and then set up all those crossfunctional rules.

As an analogy, imagine that your city wanted to offer more protection to citizens, so they built walls around each neighborhood and people would need to be authorized to cross those boundaries. So if you and your friends want to take a hike in a different neighborhood, you would each need authorization to cross those boundaries. Now imagine there is a new AI service that multiple people want to access, for this analogy we will call this a new rideshare business. The business must be authorized in every neighborhood individually. You can see how this would be extremely difficult to maintain over time.

Diagram 1: Microsegmentation in practice: Imagine a city with walls built around each neighborhood. To travel between neighborhoods, every individual and every service (like a new rideshare business) needs explicit authorization to cross each boundary. This results in a proliferation of complex, cross-functional rules, making the system difficult and time-consuming to maintain, and highly prone to errors.
Diagram 1: Microsegmentation in practice: Imagine a city with walls built around each neighborhood. To travel between neighborhoods, every individual and every service (like a new rideshare business) needs explicit authorization to cross each boundary. This results in a proliferation of complex, cross-functional rules, making the system difficult and time-consuming to maintain, and highly prone to errors.

Introducing Picosegmentation

Moving on with our analogy, imagine that, instead of putting walls between neighborhoods, each person was protected individually. You could have a policy manager in the city who decided what services would be accessible, but the control could be at the individual level. This is what the atPlatform provides for security. Each element including services, servers, cloud instances, AI agents, AI models, IoT devices, or humans can be individually protected. In our analogy, each person would decide who had access to them.

This vastly simplifies network management while increasing security. If a bad actor gets into one device, they can only get into that device, they can’t make a lateral movement to other devices or services. This not only makes everything on the network safer, but it discourages attacks because the payoff is so low.

This architecture of picosegmentation is Zero Trust by design. Nothing trusts anything on the network by default. The atPlatform is an implementation of picosegmentation that cryptographically authenticates who you are at every interaction. Additionally, the atPlaform switches the current model of “connect then authenticate” to “authenticate then connect,” further limiting the potential attack surface.

Illustration showing part two of the analogy, outlined in the caption below.
Diagram 2: Picosegmentation in action: Continuing the city analogy, instead of neighborhood walls, each individual citizen is protected. A central policy manager defines accessible services, but control is at the individual level. This translates to a vastly simplified network management model, where security is inherent at the individual element level (e.g., devices, services, AI agents), making lateral movement by attackers nearly impossible and greatly reducing the attack surface.

Network Segmentation vs. Microsegmentation vs. Picosegmentation

Here is an overview of the differences between network segmentation, microsegmentation, and picosegmentation:

How it works
Policy scope
Control layer
Zero Trust
Maintenance
Subnets or VLANs - Low protection
Routers, ACLs, firewalls - Expensive and difficult to maintain
Per network segment - Expensive and difficult to maintain
Network
No - Moderately secure
Static, difficult to change, manual - Heavy and inefficient time
Workloads & zones - Medium protection
Software-defined zones - Expensive and more difficult to maintain
Per app or workload - Cumbersome rules based on software architecture
SDN, virtual firewall
Partial - Slightly more secure
Complex, rule heavy - Heavy and inefficient time
Individual elements - High protection
Identity-based access control - Lower costs and maintenance
Per connection, per service - Simplified logical rules based on business initiatives
atPlatform Policy Engine
Yes - Highest level of security available today
Dynamic, scalable - Fast, efficient, and effective

Implementation

The nice thing about network segmentation is that you can implement it over time, segmenting new networks as they come online. But with microsegmentation, you must decide on how zones are going to be set up and basically switch to microsegmentation as a whole. The implementation of microsegmentation is a much larger project, time intensive, and expensive.

However, picosegmentation is far simpler to implement. You can start with something simple like NoPorts and implement it first for your most critical resources – something like remote access for admins to important servers. As new services come online, such as AI agents or IoT resources, you can implement picosegmentation for anything new, then go back over time to bolster your entire network security profile over time with picosegmentation.

 

Microsegmentation in Practice

Diagram showing a microsegmented enterprise network
Diagram 3: In a microsegmented enterprise network, security is applied at the Virtual Private Cloud (VPC) level for services like HR, Finance, and CRM. This means defining access rules and policies between these VPCs, often involving numerous firewall rules and Access Control Lists (ACLs) to control traffic flow. While an improvement over broad network segmentation, managing these inter-VPC rules becomes increasingly complex and burdensome as the number of services and connections grows.

Picosegmentation in Practice

Diagram showing picosegmentation in practice.

Diagram 4: With picosegmentation, the focus shifts to protecting individual elements within and across all VPCs. For HR, Finance, and CRM services, each interaction between any two elements (e.g., a user accessing a specific HR application, or a finance service interacting with a CRM module) is individually authenticated and authorized. This eliminates the need for complex firewall rules between VPCs, as security is enforced at the point of every connection, dramatically simplifying management while vastly enhancing overall security and limiting lateral movement.

Try out picosegmentation today by using a 30-day free trial of NoPorts.

Share This