Skip to main content

User Segmentation

Introduction

Endpoints today face significant security challenges, both when exposed to public networks and even within the corporate network. When outside the secure perimeter, such as during remote work or when connected to public Wi-Fi, endpoints are especially vulnerable to open ports and inbound traffic from malicious sources. Attackers can exploit these open ports to gain unauthorized access, execute attacks, or infect devices. Even inside the office, where endpoints are connected to the corporate network, inbound traffic remains a critical risk. Without proper controls, attackers can still access open ports and exploit vulnerable services on endpoints, allowing them to move laterally within the network. While outbound traffic can be controlled to limit data exfiltration, endpoints often remain exposed to unsanctioned inbound connections, which can serve as entry points for cyberattacks, making it essential to restrict and monitor both inbound and outbound traffic based on specific user identities and access needs.

Despite the critical role endpoints play in an organization’s security, there are significant gaps in how they are protected. For example, many endpoints have unrestricted open ports, allowing potentially malicious inbound traffic to bypass traditional defenses. A laptop used by an employee in a coffee shop might have an open port for remote desktop access, but without the proper restrictions, attackers could exploit this port to gain access. Additionally, lack of user-based controls often means that malicious software can communicate freely through inbound and outbound network flows, without being tied to a specific user’s identity or role. In office environments, endpoints are often trusted by default, making it easier for attackers to leverage insider credentials to move laterally across the network. Without adequate microsegmentation or access policies, attackers can exploit these vulnerabilities, even when the endpoint is behind a corporate firewall. These gaps leave endpoints susceptible to both external and internal threats, underscoring the need for a more robust, identity-driven approach to endpoint security.

Overview

User identity-based segmentation combines user identity and endpoint security to create a dynamic, granular security model that addresses the gaps in traditional approaches. As discussed, endpoints—whether remote or in-office—face significant risks from open ports, inbound traffic, and even credential-based attacks. By segmenting the network based on both who the user is and what endpoint they are using, organizations can enforce tighter controls on inbound and outbound traffic, reducing the attack surface. This approach ensures that even if an endpoint is exposed to the internet or compromised internally, access to sensitive resources is restricted based on user roles and context. For instance, an employee working remotely with an open port for secure access can have traffic restricted to only those services they need, while malicious inbound traffic is automatically blocked. This identity-driven segmentation effectively prevents unauthorized lateral movement and provides visibility and control over both inbound threats and outbound data flows.

Solution

Onboarding & Visualization

Our Colortokens platform delivers a robust user identity-based microsegmentation solution that provides enterprises with fine-grained control over network traffic and endpoint security. The solution leverages user identity and endpoint data to dynamically control inbound and outbound traffic flows, ensuring that only authorized users can access sensitive resources—whether they are working remotely, in-office, or using point-of-sale machines. Below is an overview of how the user segmentation process works:

Integration with Identity Providers (IDPs)

The first step in setting up user identity-based microsegmentation is integrating with the enterprise's Identity Provider (IDP), such as Azure AD, Okta, or other supported systems. Our platform provides two ways to integrate:

SCIM Protocol: If your IDP supports the SCIM protocol, we can seamlessly import user and group data. Custom Connector: For enterprises using Active Directory, a custom connector acts as a bridge. It reads data from Active Directory using LDAP and uses SCIM to push relevant user and group information to our platform.

User and User Group Import

Once the IDP is integrated, our platform automatically imports User and User Group information via SCIM. The User Principal Name (UPN) uniquely identifies each user, allowing the platform to accurately track and manage user activity.

Activation of Relevant User Groups

After importing users and groups, all user groups are initially inactive in the platform. This allows the Security Admin to selectively activate only those groups that are relevant for microsegmentation. For example, if your Azure AD contains many user groups, some of which are not needed for segmentation or are too broad, they can remain inactive. Only the active user groups will be considered in the segmentation policies, ensuring that network traffic is filtered and segmented according to the most relevant user roles.

Endpoint Agent Installation

Next, the Security Admin installs our platform's Endpoint Agent on all relevant devices—such as laptops, desktops, point-of-sale machines, or any other endpoint in the enterprise. The agent works by collecting telemetry data from the system, such as network traffic flows, open ports, and user login information.

Telemetry Data Collection and User Mapping

Once the endpoint agent is installed and active, it begins collecting data from the endpoint. It identifies the currently logged-in user and cross-references this with the user data imported from SCIM. If the logged-in user matches an imported user, the system records this login information and associates any relevant network activity with the correct user group.

Traffic Flow Classification

The platform categorizes network traffic into inbound and outbound flows:

Outbound Traffic: Any outbound traffic initiated by a logged-in user is automatically associated with the user group that the user belongs to. This ensures that the user’s activities—such as connecting to external services or resources—are logged and monitored according to their identity and role.

Inbound Traffic and Open Ports: Inbound traffic and open ports are always associated with the endpoint rather than a specific user group. This ensures that even if a malicious actor tries to exploit open ports on the endpoint, the device is monitored independently of user activity.

Real-Time Network Flow Visualization

The platform continuously visualizes and classifies network activity, showing:

Outbound flows associated with specific users and their user groups. Inbound flows and open ports at the endpoint level, regardless of which user is logged in. This granular visibility ensures that the Security Admin can monitor endpoint behavior, enforce network access policies, and detect potential threats or anomalies in real time.

Policy Creation for User Identity-Based Microsegmentation

Once the user identity-based segmentation framework is established, the next critical step is creating network policies that control the traffic flows between endpoints and other network resources. Our platform enables enterprises to define these policies based on flexible and granular criteria, ensuring dynamic and adaptable security controls. These policies are primarily created using pre-configured templates that specify both inbound and outbound network rules.

Policy Templates

Policies are created from templates that allow the Security Admin to specify:

Inbound Ports/Paths: Define which ports or paths are allowed for incoming traffic, specifying allowed IPs, subnets, or specific network ranges. Outbound Paths: Define which outbound paths (to IPs, subnets, or fully qualified domain names—FQDNs) are permitted for communication, ensuring that only approved destinations are accessible from the endpoint. These templates provide the flexibility needed to tailor security rules to specific use cases and user groups, making it easy to control both the flow of data and the access to sensitive network resources.

Endpoint Grouping and Segmentation

To enhance policy management and enforcement, endpoints can be grouped together based on various criteria, such as tags (which act as labels). For example:

Location-based Segmentation: All endpoints in a particular physical location (e.g., a corporate office in New York or a warehouse in London) can be grouped into segments. Role or Function-based Grouping: Endpoints can be grouped by their function, such as all Point-of-Sale (POS) systems or all development machines. By grouping endpoints this way, policies can be efficiently applied to entire segments rather than managing individual devices, making it easier to scale and maintain security across the organization.

Assigning Policies to Endpoints or Endpoint Segments

Once templates are created, these policies can be applied in two ways:

Direct Assignment to Endpoints: Policies can be directly applied to specific endpoints, giving the Security Admin fine-grained control over individual devices. Assignment to Endpoint Segments: Policies can be assigned to predefined endpoint segments. This approach automatically applies the policy to all endpoints within the segment, streamlining management for large, distributed networks. By leveraging segments, the platform allows for easier scalability and centralized control over endpoint security policies, ensuring that similar types of endpoints (e.g., POS machines, laptops, or servers) are governed by the same security rules.

Attaching Policies to User Groups

In addition to endpoint-based policies, the platform enables security policies to be attached to user groups imported from the IDP. These policies define what a user can access based on their identity. For example:

A Finance User Group might have access to financial applications or sensitive data, while a Sales User Group might be restricted from those resources. By applying policies to user groups, the platform ensures that users, regardless of which endpoint they’re using, are only allowed to access the resources they are authorized to.

Policy Enforcement: Combining Endpoint and User Group Rules

The way policies are applied to an endpoint depends on whether a user is logged in to the endpoint or not, and it’s calculated as follows:

No User Logged In: When no user is logged into the endpoint, the system enforces only the policies assigned to the endpoint itself, either directly or via endpoint segments. These rules apply universally to the endpoint.

User Logged In: When a user is logged into the endpoint, the system computes the final network rules additively, combining the policies assigned to the endpoint with the policies associated with the user group that the logged-in user belongs to. If the user belongs to multiple user groups, the policies from all those groups are merged in an additive fashion, ensuring that users inherit access rights and restrictions from each of their roles. This additive policy model ensures that user-specific needs and device-specific security requirements are both respected, and users get the appropriate access based on their role while their endpoints remain securely segmented.

Limitation: IP Address Changes and User Access

One important consideration to keep in mind is that, due to the nature of dynamic IP address assignments for endpoints, our solution does not support policies that automatically handle changes in endpoint IPs across different devices or servers. Since endpoints (such as laptops, desktops, or mobile devices) often switch networks, their IP addresses can change frequently, especially in environments with dynamic IP allocation or roaming users. As a result, policies targeting specific IPs or subnets are static, and will not automatically adjust to reflect changes in the endpoint’s IP address over time.

Therefore, policies defined based on IPs, subnets, or other static network identifiers will need to be manually adjusted if an endpoint's IP changes or if new endpoints are added to the network. This means that user access or endpoint-specific policies that depend on IP addresses cannot dynamically track and update changes in real-time, requiring periodic review and configuration to ensure proper segmentation and security enforcement.

Ensuring Sufficient Security Despite the Limitation

While this limitation exists, the overall security posture remains strong due to the layered approach of the user identity-based segmentation and template-driven policy assignment. Even without automatic IP tracking, the solution ensures that inbound traffic and open ports are always associated with the endpoint, regardless of IP changes, and the security policies remain consistently enforced at both the user group and endpoint segment levels.

Additionally, by assigning policies based on user identity and endpoint attributes, we provide dynamic security that adapts to the user and their role, irrespective of the endpoint's IP. The system can still efficiently control access and data flows based on the user’s role and identity, significantly reducing the risk of unauthorized access or lateral movement.

Summary of Benefits

  • User Identity-Centric Security: Policies are dynamically tied to user identities and user groups, ensuring that only authorized users can access specific resources, regardless of the endpoint they are using or its IP address.
  • Granular Network Flow Control: With template-based policies, security admins can define precise inbound and outbound rules, controlling access to ports, paths, IPs, and subnets, ensuring that only necessary network traffic is allowed.
  • Flexible Endpoint Grouping: Endpoints can be grouped by tags (e.g., location, function) to streamline policy assignment, making it easy to manage and scale security policies across a diverse network.
  • Additive Policy Enforcement: Policies are applied additively based on both user group and endpoint, ensuring that users get access according to their roles while the endpoints are secured according to predefined segments.
  • Comprehensive Endpoint Protection: Even with IP address changes, security is maintained at the endpoint level for inbound traffic and open ports, which remain protected regardless of the endpoint’s IP.
  • Scalable and Centralized Management: Policies can be applied to individual endpoints or endpoint segments, allowing for centralized control over large, distributed networks while reducing administrative overhead.
  • Dynamic and Context-Aware: The platform adapts to changes in user login status, ensuring that security policies are enforced dynamically based on who is logged in, further enhancing protection against unauthorized access.

Despite the limitation regarding dynamic IP changes, the platform’s ability to control traffic based on user identity and endpoint characteristics ensures a high level of security. This user-focused segmentation, combined with powerful policy templates and flexible endpoint grouping, offers robust protection against internal and external threats while providing easy-to-manage, scalable network security.