What is Identity Segmentation?

Identities (i.e., users: human accounts, service accounts, privileged accounts) are one of the key pillars in the Zero Trust security framework. With over 80% of attacks leveraging user credentials, the perimeter should move closer to the user — the “last line of defense.”

Identity segmentation is a method to restrict access to applications/resources based on identities.

Identity Segmentation vs. Identity-Based Segmentation

It’s important to note that CrowdStrike’s definition of identity segmentation is different from Gartner’s “identity-based segmentation.” CrowdStrike’s identity segmentation enforces risk-based policies to restrict resource access, based on workforce identities.

Gartner’s identity-based segmentation, on the other hand, is essentially a microsegmentation technique that enforces policies based on “application/workload identity,” like tags and labels, and may have to be manually defined at the configuration stage. It has nothing to do with workforce identities.

Identity Segmentation vs. Network Segmentation

Below we outline the difference in functionality between network segmentation and identity segmentation:

FunctionNetwork SegmentationIdentity Segmentation
Visibility and Security ControlCovers network connections and zonesCovers user identity, attack path visibility, authentication footprint, behavior and risk
PoliciesPolicies are applied on workload identities, ports and IP addresses connecting to the resource/workloadPolicies are applied on identities based on behavior, risk and over 100 analytics
Legacy System ProtectionProtection for legacy systems can be tricky (e.g., ransomware attack initiating lateral movement using compromised credentials)Protects legacy resources and proprietary applications by extending risk-based identity verification (multifactor authentication)
OperationalizationIs limited by network scope and application type, especially for SaaS applications and private clouds There’s additional complexity when creating zones and enforcing policiesProtects on-premises and SaaS applications, regardless of their location
IntegrationsThreat intel integration, behavior and other integrations are required to enforce access controlsBuilt-in, real-time threat intelligence, threat detection and prevention is powered by the CrowdStrike Security Cloud for all autoclassified workforce identities, whether on on-premises Active Directory (AD) or in the cloud (Entra ID) APIs integrate with SSO and federation solutions, like Okta, AD FS and PingFederate, and several other security tools like UEBA, SIEM, SOAR and many others

CrowdStrike's Approach to Identity Protection

CrowdStrike Falcon Identity Protection shifts the perimeter closer to the “last line of defense” with identity segmentation by:

  • Providing granular multi-directory visibility and continuous insights into every account
  • Auto-classifying every account: human user, service accounts, privileged accounts, accounts with compromised passwords, stale user accounts and many more
  • Identifying security gaps based on individual risk scores from over 100 behavior analytics
  • Enabling attack path visibility to detect threats across the multiple stages in the kill chain including reconnaissance, lateral movement and persistence
  • Enforcing segmentation policies to restrict access to resources based on identity
crowdstrike-reducing-the-attack-surface-whitepaper-cover

Network Segmentation vs. Identity Segmentation

Download this white paper to understand CrowdStrike’s approach to identity segmentation.

Download Now