Information is arguably one of any organization’s most valuable and business critical assets. Despite this, many information networks are, for all intents and purposes, flat networks. That is, networks with few flow controls over data which are then allowed to flow freely. This means that the most sensitive corporate or customer data moves through the same network devices as all other company information. This could include things like employee emails and Internet downloads, credit card information, research, sensitive financial information, electronic doctor/patient communications, and any other information that company employees create, receive, download, share, and store.
A flat network creates an open environment in which anyone who gains legitimate or unlawful access to the corporate backbone is unhindered as to where they can go or what they can do. And, even an unsophisticated attack could not only cripple the entire corporate network, but could also allow a data breach of the highest order. Additionally, in a flat network, the same scarce (read: expensive) resources are required to secure the least critical business assets as are required to secure the most critical business assets. Consider that many companies currently spend the same amount of time, effort, and money every year to keep the electronic inventory of cleaning supplies secure as they do to safeguard their most sensitive corporate information.
By simply compartmentalizing or segregating data types into individual-but-connected, protected networks, a company could slow down or even stop an attacker. At the least, an attacker would be limited to attacking or stealing only the information available in the compartmentalized network that they were able to breach.
A segmented network gives the company the ability to allocate scarce resources based on business criticality, focusing more resources on those most sensitive data environments and fewer resources on the least sensitive. It allows for the isolation of protected data, limiting the scope of audits to a specific network segment (PCI DSS encourages this). The segmented network allows for more precise management of mission-critical business resilience based on real, measurable business needs, and for more granular and efficient monitoring and analysis. It facilitates the detection and remediation of breaches, and provides smoother transitions when moving business segments to a cloud or other service provider or when making hardware modifications.
Benefits of network segmentation can include, but are not limited to:
- Ability to apply granular, business-appropriate access controls in segments
- Much more efficient allocation of critical resources
- Greater visibility into network efficiency, bandwidth utilization, traffic patterns, and anomalous activity that can drain company resources
- Easier implementation of business-specific processes
- Application of different network policies (and technologies) based on segment content (wireless and BYOD, for example, can be applied differently as the business requires)
- Technology and tool investment apportionment based on real data, and efficient alignment to unique business needs
Summary
Information is an extremely critical asset to any company, and the loss or corruption of that critical information could be devastating to the company, stakeholders, employees, and customers. Critical information cannot be properly protected in an open network environment where disparate data types are co-mingled and managed with the same diligence. In addition to being a recommendation in every government and industry compliance specification, information protection through segregation is a cornerstone of a well-defined information security strategy, a recognized best practice, and a comparatively easy and inexpensive way to gain business efficiencies, reduce risk, and improve business resilience. Among other things, information segregation created by network segmentation eliminates the common practice of arbitrary application of policy, and inefficient use of costly technology resources. Business-appropriate data segregation also provides individual business owners with greater visibility into and influence on information management, providing for more informed business decisions and investments.
great piece
Great blog! – and it’s well known that lateral movement is a key phase of many targeted attacks – segmentation is a great technique to at least slow down the attackers long enough for them to be detected, before any real damage is done, and may indeed thwart their attack completely.
Cathy,
Great points in your article. From my experience, many companies have tried to force security into their networks after the fact, rather than during the initial design. That being said, modifying an existing ‘flat’ network requires work that most companies will not undertake until they have been given a reason, unfortunately, that reason is often a security breach that is costly to recover from.
The redesign of the network to ‘compartmentalize’ the different groups and access controls utilizes rather simple techniques that most if not all network devices sold today can accommodate. Network features such as VLAN’s, Subnets, ACL’s have existed for many years, but are NOT utilized by many companies because the initial designs did not consider security as a key feature to the design.
We can not, and should not place all the blame on our firewalls, virus detection solutions, or IPS devices. How we design our networks, locate our security defenses, and configure these devices are just as critical and responsible for the overall security of our networks. Unfortunately, network design is often neglected as a key component to overall security.