Network segmentation enables an organization to reduce cybersecurity risk and acts as a vital first step towards defining a zero-trust security policy. Network segmentation creates the network boundaries where a zero-trust security policy can enforce access controls.
In the past, many organizations only defined a secure boundary at the network perimeter. The following steps outline how to implement effective segmentation within the corporate network.
Not all data and assets within an organization are of equal value. Some systems, such as the customer database, may be essential to maintaining normal operations. Others, like a printer, are useful but not vital to the functioning of the business.
Assigning levels of importance and value to assets is an important first step for network segmentation. These labels will later be used to define the various zones of trust within the network.
In addition to the value of assets, it is also important to consider the sensitivity of the data that they contain. Assets holding very sensitive data, such as customer information, research and development data, etc., may require additional protections for compliance with data protection regulations or the corporate security policy.
These labels should take into account both the sensitivity of the data (i.e. public to highly restricted) and the types of data that an asset contains. This helps to define segmentation policies that are in accordance with applicable regulations, such as the Payment Card Industry Data Security Standard (PCI DSS).
Network segmentation helps to improve network security by breaking the network into isolated segments. This makes it more difficult for an attacker to move laterally through the network after gaining an initial foothold.
However, there are a number of legitimate data flows that need to be permitted. All data flows across all of the systems on the network should be mapped, including:
Certain assets within an organization’s network are used for similar purposes and communicate regularly. Segmenting these systems off from one another does not make sense as a number of exceptions would be required to maintain normal functionality.
When defining asset groups, it is important to consider both this similar functionality and the sensitivity of the various assets on the corporate network. Any assets serving similar purposes and with similar sensitivity levels should be grouped together in one segment separate from other assets with different trust levels or functions.
Defining segment boundaries is important, but it provides no benefit to the organization if these boundaries are not enforced. Enforcing access controls on each network segment requires deployment of a segment gateway.
To enforce a segment boundary, all network traffic entering and exiting that segment must pass through the gateway. As a result, an organization may need multiple gateways to implement effective segmentation. These requirements can help to inform the decision of whether to select a hardware firewall or a virtual firewall.
Traffic between assets within a particular segment may be permitted to flow unrestricted. However, intersegment communications need to be monitored by the segment gateway and comply with access control policies.
These policies should be defined based upon a principle of least privilege, which states that an application, device, or user should have the minimum level of permissions required to do their job. These permissions should be based upon the legitimate data flows identified in #3.
After defining micro-segments, deploying a segmentation gateway, and creating and enforcing access control policies, the process of implementing network segmentation is largely complete. However, defining a network segmentation policy is not a one-time exercise.
Network segmentation policies may change due to the evolution of the corporate network or oversights and errors in the initial design process. Addressing these potential issues requires periodic audits to determine if changes have been made, if any unnecessary risks exist in the system, and how network segments and access controls can be updated to mitigate these risks.
Defining a network segmentation policy can be a huge task, especially for enterprise-scale networks. Attempting to perform all of these steps manually may be difficult or impossible.
For this reason, it is important to take advantage of automation capabilities wherever possible. Especially in the discovery and classification phase, automation can be invaluable for identifying new assets added on the network, their communication flows, if they contain any vulnerabilities and applying the network segmentation policy.
Automated detection and labeling has become more valuable with the growth of the Internet of Things (IoT). These devices are often insecure, and segmentation is required to isolate them from critical systems on the enterprise network. However, implementing effective IoT security requires a firewall that understands IoT protocols. To see network segmentation for IoT in action, you’re welcome to request a demo.