What is Identity Segmentation?
Identities (i.e., users: human accounts, service accounts, privileged accounts) are one of the key pillars in the Zero Trust security framework. With over 80% of attacks leveraging user credentials, the perimeter should move closer to the user — the “last line of defense.”
Identity segmentation is a method to restrict access to applications/resources based on identities.
Identity Segmentation vs. Identity-Based Segmentation
It’s important to note that CrowdStrike’s definition of identity segmentation is different from Gartner’s “identity-based segmentation.” CrowdStrike’s identity segmentation enforces risk-based policies to restrict resource access, based on workforce identities.
Gartner’s identity-based segmentation, on the other hand, is essentially a microsegmentation technique that enforces policies based on “application/workload identity,” like tags and labels, and may have to be manually defined at the configuration stage. It has nothing to do with workforce identities.
Identity Segmentation vs. Network Segmentation
Below we outline the difference in functionality between network segmentation and identity segmentation:
| Function | Network Segmentation | Identity Segmentation |
|---|---|---|
| Visibility and Security Control | Covers network connections and zones | Covers user identity, attack path visibility, authentication footprint, behavior and risk |
| Policies | Policies are applied on workload identities, ports and IP addresses connecting to the resource/workload | Policies are applied on identities based on behavior, risk and over 100 analytics |
| Legacy System Protection | Protection for legacy systems can be tricky (e.g., ransomware attack initiating lateral movement using compromised credentials) | Protects legacy resources and proprietary applications by extending risk-based identity verification (multifactor authentication) |
| Operationalization | Is limited by network scope and application type, especially for SaaS applications and private clouds There’s additional complexity when creating zones and enforcing policies | Protects on-premises and SaaS applications, regardless of their location |
| Integrations | Threat intel integration, behavior and other integrations are required to enforce access controls | Built-in, real-time threat intelligence, threat detection and prevention is powered by the CrowdStrike Security Cloud for all autoclassified workforce identities, whether on on-premises Active Directory (AD) or in the cloud (Entra ID) APIs integrate with SSO and federation solutions, like Okta, AD FS and PingFederate, and several other security tools like UEBA, SIEM, SOAR and many others |
CrowdStrike’s Approach to Identity Protection
CrowdStrike Falcon Identity Protection shifts the perimeter closer to the “last line of defense” with identity segmentation by:
- Providing granular multi-directory visibility and continuous insights into every account
- Auto-classifying every account: human user, service accounts, privileged accounts, accounts with compromised passwords, stale user accounts and many more
- Identifying security gaps based on individual risk scores from over 100 behavior analytics
- Enabling attack path visibility to detect threats across the multiple stages in the kill chain including reconnaissance, lateral movement and persistence
- Enforcing segmentation policies to restrict access to resources based on identity
Network Segmentation vs. Identity Segmentation
Download this white paper to understand CrowdStrike’s approach to identity segmentation.
Download Now
