Network Segmentation: A key layer of your organization’s defense
A Key Layer of Your Organization’s Defense
What Is Network Segmentation?
“Network segmentation” refers to the logical, and sometimes physical, separation of IT assets and resources – such as data, applications, servers and users. Properly isolating a network into segments significantly reduces the size of the attack surface by limiting the IT assets that are accessible from each segment. The resources connected to a segment, regardless of their nature – physical, virtual, or human – are prevented from interacting with (or even being “seen” by) resources on other network segments. At its most fundamental level, network segmentation creates and maintains logically grouped subsets of resources that are isolated from all other implicitly untrusted groups; even when those other groups are part of the same business organization.
Why is Network Segmentation Important?
It Safeguards Your Assets and Helps Maintain Confidentiality of Data
Emerging information about recent security breaches illustrates the critical role network segmentation has in protecting any organization’s IT assets. Network segmentation allows you to isolate and apply segment-specific access policies and restrictions to your various applications, systems, and users. For example, this could include: PCI/CDE (credit card) information, CUI/ITAR data (Department of Defense related materials), ePHI (electronic medical health records), or even internal company finances and HR records. Network segmentation enables organizations to apply more granular controls to specific data classifications in order to limit potential exposure and reduce risk. The ultimate goal of network segmentation is to protect your most sensitive data from unauthorized access or disclosure.
In environments where network segmentation is not practiced, the organization’s entire network is the potential attack surface. In a “flat” (un-segmented) network, an individual with malicious intent need only compromise a single device on the network. That device becomes a launch pad from which the entire network can be attacked. Once inside, the attacker can “see” and access all other network-attached devices. On a segmented network, only the devices, services, applications, data, or users on a particular segment are accessible to authorized, or in the case of a breach, unauthorized, users.
With proper network segmentation in place, an attacker cannot access resources across the entire network in a uninhibited manner, this being due to the restrictive access control lists and other policies limiting or preventing interaction between segments. Within a properly segmented and controlled network, should a malicious actor breach a DMZ (public facing) server, they would be unable to access sensitive data and systems that are isolated within the most protected segments without having to breach multiple other devices in their path. Those sensitive IT assets would remain protected behind additional layers of firewalls and security. Ultimately, network segmentation plays a key role, if not the most important role, in ensuring that your confidential data remain confidential.
It is Required
If your organization is required to comply with cybersecurity mandates, proper network segmentation is likely not an even optional, it is almost definitely required. As breaches continue to occur and as malicious actors continue to successfully social engineer organizations regulatory bodies continue to further increase the number and types of cybersecurity requirements.
Here are a few of the mandates and regulations that require network segmentation:
NIST SP 800-53
NIST SP 800-171
NIST Cybersecurity Framework (CSF)
Cybersecurity Maturity Model Certification (CMMC)
International Traffic in Arms Regulations (ITAR)
Defense Federal Acquisition Regulation Supplement (DFARS)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Data Security Standard (PCI DSS)
How is Network Segmentation Achieved?
The first step in any network segmentation effort should be an inventory and classification of all IT assets and the data that they contain. This should be followed by a risk assessment of those assets (physical and virtual). The organization will also need to assess the access requirements of each individual or personnel role in within the company. This is key step to ensure that access to segments is granted on a need-to-know and need-to-access basis; thereby, ensuring the integrity of each segment and continuing to reduce the attack surface. This also helps reduce social engineering risks by ensuring that only properly trained staff have access to the most sensitive resources. In all, these steps are crucial to ensuring that the logical resource groupings, which will make up the segments, are accurate in their lines of separation and there are no “bleed points” through which sensitive data could be lost.
Temptation to skip these early steps is often driven by a desire to “become compliant” sooner, to demonstrate faster forward progress, or to relieve the discomfort of feeling overwhelmed by the task at hand. Yet, it is impossible to properly segment a network without first understanding the network composition in its entirety. By dedicating the necessary resources to the inventory and risk assessment steps, an organization can expect a smoother transition to an effectively segmented network.