Network Segmentation: A key layer of your organization’s
defense
What is Network Segmentation?
“Network segmentation” refers to the physical and logical separation of IT assets
and resources – such as data, applications, servers and users. Isolating a network
into segments reduces the size of the attack surface by limiting the IT assets that are
accessible from each segment. The resources connected to a segment, regardless of
their nature – physical, virtual, or human – are prevented from interacting with (or
even being “seen” by) resources on other network segments. At its most
fundamental level, network segmentation creates and maintains logically grouped
subsets of resources that are isolated from all other, implicitly untrusted, groups –
even when those other groups are part of the same business organization.
Why is Network Segmentation Important?
Emerging information about recent security breaches illustrates the critical role
network segmentation has in protecting any organization’s IT assets. Network
segmentation allows you to isolate and apply segment-specific policies to, for
example, your Cardholder Data Environment (CDE). It enables organizations to
apply more granular controls (in this example, PCI DSS-based policies) to limit
potential exposure and reduce risk. The ultimate goal of network segmentation is to
protect your most sensitive data from unauthorized access or disclosure.
In environments where network segmentation is not practiced, the organization’s
entire network is the potential attack surface. In a “flat” (un-segmented) network, an
individual with malicious intent need only compromise a single device on the
network. That device becomes a launch pad from which the entire network can be
attacked. Once inside, the attacker can “see” and access all other network-attached
devices. On a segmented network, only the devices on a particular segment are
accessible to authorized and – in the case of a breach, unauthorized – users.
With proper network segmentation in place, an attacker cannot access resources
across the entire network, thanks to restrictive access control lists and other
policies limiting or preventing interaction between segments. In the earlier CDE
example, an attacker breaching another segment would not be able to get to the CDE
segment. Those IT assets would remain protected behind additional layers of
firewalls and security. Ultimately, network segmentation plays a key role, if not the
most important role, in ensuring that your confidential data remain confidential.
How is Network Segmentation Achieved?
The first step in any network segmentation effort should be an inventory of all IT
assets and the data that they contain, followed by a risk assessment of those assets
(physical and virtual). These steps are crucial to ensuring that the logical resource
groupings, which will make up the segments, are accurate in their lines of
separation and there are no “bleed points” through which sensitive data could be
lost.
Temptation to skip these early steps is often driven by a desire to “become
compliant” sooner, to demonstrate faster forward progress, or to relieve the
discomfort of feeling overwhelmed by the task at hand. Yet, it is impossible to
properly segment a network without first understanding the network composition
in its entirety. By dedicating the necessary resources to the inventory and risk
assessment steps, an organization can expect a smoother transition to an effectively
segmented network.
How Can DataPrivia Help Your Organization?
DataPrivia works directly with your staff to complete a top-to-bottom inventory and
risk assessment of your IT assets. Based on the data gathered in these initial steps,
DataPrivia will create data flow maps to inform decision-making when creating
logical network segments for those assets. DataPrivia will then develop a road map
and help your staff configure firewalls, network devices, and implement the other
controls necessary to successfully migrate all of your IT assets into the appropriate
network segments as efficiently, quickly, and accurately as possible.