Microsegmentation Part 2: Implementation Strategies and Pitfalls

July, 2019 | 9 min read

Introduction

As organizations transition from microsegmentation theory to implementation, new challenges and opportunities arise. This post builds on the foundational concepts introduced in Part 1, focusing on practical strategies for deploying microsegmentation across diverse network environments.

Choosing the Right Segmentation Model

The success of microsegmentation heavily depends on selecting the appropriate model. Organizations typically choose between agent-based, hypervisor-based, and network-based segmentation approaches. Each has distinct pros and cons depending on environment, workload type, and compliance requirements.

Agent-Based Approaches

Agent-based microsegmentation offers deep visibility and enforcement at the workload level. Solutions like Illumio or Guardicore rely on lightweight agents installed on endpoints to monitor and enforce policies. This model is especially effective in hybrid cloud deployments where traditional network perimeters no longer apply.

Hypervisor-Level Control

VMware NSX exemplifies hypervisor-based segmentation. By embedding controls at the virtualization layer, organizations can apply policy enforcement between VMs regardless of IP schema or physical location. This model is ideal for large virtualized data centers seeking granular east-west traffic control.

Network-Based Solutions

Traditional network appliances—firewalls, ACLs, segmentation switches—still play a role. Cisco’s TrustSec, for example, enables role-based access controls through network fabric integration. While less granular than workload-based methods, this approach can scale efficiently when paired with dynamic policy orchestration.

Policy Definition and Lifecycle

Defining policy is both a technical and organizational task. Policies should reflect business context, application criticality, and threat models. A zero trust posture suggests starting from deny-all, then allowing only what’s explicitly required. Continuous monitoring and policy refinement must follow initial implementation.

Tooling and Ecosystem Integration

Modern microsegmentation tools integrate with SIEMs, orchestration platforms, and CI/CD pipelines. Visibility platforms like Stealthwatch or ExtraHop help validate segmentation effectiveness. Automation and feedback loops reduce operational overhead and improve response to configuration drift or new threats.

Challenges and Pitfalls

• Overly aggressive policies: Starting with blanket denials can break application dependencies if not thoroughly mapped.
• Blind spots: Legacy systems or unmanaged workloads often fall outside segmentation scope.
• Operational fatigue: Poorly planned implementations can lead to alert fatigue or rule sprawl.
• Lack of stakeholder alignment: Without cross-functional buy-in, enforcement gaps or rollback pressures may arise.

Best Practices for Rollout

Begin with visibility mode. Use the first few weeks to analyze traffic flows and refine your application maps. Then, implement policy in stages—starting with non-critical workloads—and validate behavior. Enable enforcement gradually and monitor impacts.

Microsegmentation for Containers and Cloud

Microsegmentation in Kubernetes environments differs fundamentally. Tools like Calico, Cilium, and service mesh frameworks (e.g., Istio) provide identity-based segmentation at the pod or namespace level. In public clouds, security groups and native firewalls play key roles, though layered controls are often necessary.

Conclusion

Microsegmentation offers powerful controls but demands clear strategy, strong visibility, and continuous governance. The next and final post in this series will explore real-world case studies and advanced integration techniques to help mature your deployment model.

Eduardo Wnorowski is a network infrastructure consultant and Director.
With over 24 years of experience in IT and consulting, he helps organizations maintain stable and secure environments through proactive auditing, optimization, and strategic guidance.
LinkedIn Profile

Legacy Systems, Modern Demands: Approaches to Mainframe Integration

July, 2019  |  Reading Time: ~9 mins

Mainframes still run critical workloads in sectors like finance, government, and manufacturing. Despite being decades old, they continue to demonstrate unmatched reliability, scalability, and transactional performance. However, modern business demands – APIs, mobile access, cloud-native applications – require seamless integration between these legacy systems and modern platforms.

Understanding the Legacy Landscape

Many mainframes support COBOL, assembler, or RPG-based applications written in the 70s, 80s, and 90s. These applications are typically monolithic, highly optimized, and mission-critical. They often rely on terminal emulators or proprietary protocols like TN3270 for access.

Challenges include:

• Rigid interfaces and lack of modularity
• Limited documentation and tribal knowledge
• Performance risks in exposing core services externally

Modern Integration Approaches

To meet evolving IT requirements, organizations take various integration paths:

1. API Wrappers

Middleware tools can expose mainframe functions as RESTful APIs. These wrappers encapsulate legacy processes and allow mobile or web clients to invoke them securely without altering the base code.

2. MQ and Messaging Layers

IBM MQ, RabbitMQ, and other message brokers facilitate asynchronous communication between distributed services and mainframes. This decouples traffic spikes and improves system resilience.

3. ETL for Batch Processing

Data-centric systems often use extract-transform-load (ETL) pipelines to synchronize mainframe data with modern analytics platforms or data lakes for reporting and machine learning.

4. Coexistence via Hybrid Cloud

Hybrid approaches let mainframes handle core processing while cloud-native applications augment capabilities such as user interfaces, orchestration, or analytics. This balances stability and innovation.

Case Studies from the Field

A large bank exposes its credit evaluation logic via secure APIs to its mobile app, enabling real-time loan pre-approvals. Another government agency replicates mainframe data hourly to the cloud, providing constituents with real-time case status updates.

These examples show how mainframe integration unlocks agility while preserving core strength.

Security and Governance

Legacy systems often lack modern security postures. Integration requires strict identity management, encrypted communication, and API gateways to prevent unauthorized access or denial-of-service attacks.

Role-based access controls (RBAC), zero trust principles, and token-based authentication must wrap all exposed services.

Choosing the Right Strategy

There’s no one-size-fits-all. Factors influencing the strategy include:

• Age and maintainability of mainframe applications
• Risk tolerance and compliance landscape
• Scalability requirements
• Available integration tooling and expertise

Tools and Vendors

Popular tools include IBM z/OS Connect, Rocket LegaSuite, MuleSoft, and Red Hat Integration. Each addresses different portions of the integration stack – from protocol translation to data synchronization and orchestration.

The Road Ahead

Mainframe integration is not a modernization effort in isolation. It’s part of a broader enterprise digital strategy. With disciplined APIs, robust governance, and smart architectural decisions, organizations can turn legacy into leverage.

Eduardo Wnorowski is a network infrastructure consultant and Director.
With over 24 years of experience in IT and consulting, he helps organizations maintain stable and secure environments through proactive auditing, optimization, and strategic guidance.
LinkedIn Profile