Uploaded by Eli Keimig

Network Segmentation - A Key Layer of Your Organization’s Defense

advertisement
Network Segmentation: A key layer of your organization’s
defense
What is Network Segmentation?
“Network segmentation” refers to the physical and logical separation of IT assets and
resources – such as data, applications, servers and users. Isolating a network into
segments reduces the size of the attack surface by limiting the IT assets that are
accessible from each segment. The resources connected to a segment, regardless of
their nature – physical, virtual, or human – are prevented from interacting with (or even
being “seen” by) resources on other network segments. At its most fundamental level,
network segmentation creates and maintains logically grouped subsets of resources that
are isolated from all other, implicitly untrusted, groups – even when those other groups
are part of the same business organization.
Why is Network Segmentation Important?
Emerging information about recent security breaches illustrates the critical role network
segmentation has in protecting any organization’s IT assets. Network segmentation
allows you to isolate and apply segment-specific policies to, for example, your
Cardholder Data Environment (CDE). It enables organizations to apply more granular
controls (in this example, PCI DSS-based policies) to limit potential exposure and reduce
risk. The ultimate goal of network segmentation is to protect your most sensitive data
from unauthorized access or disclosure.
In environments where network segmentation is not practiced, the organization’s entire
network is the potential attack surface. In a “flat” (un-segmented) network, an
individual with malicious intent need only compromise a single device on the network.
That device becomes a launch pad from which the entire network can be attacked. Once
inside, the attacker can “see” and access all other network-attached devices. On a
segmented network, only the devices on a particular segment are accessible to
authorized and – in the case of a breach, unauthorized – users.
With proper network segmentation in place, an attacker cannot access resources across
the entire network, thanks to restrictive access control lists and other policies limiting or
preventing interaction between segments. In the earlier CDE example, an attacker
breaching another segment would not be able to get to the CDE segment. Those IT
assets would remain protected behind additional layers of firewalls and security.
Ultimately, network segmentation plays a key role, if not the most important role, in
ensuring that your confidential data remain confidential.
How is Network Segmentation Achieved?
The first step in any network segmentation effort should be an inventory of all IT assets
and the data that they contain, followed by a risk assessment of those assets (physical
and virtual). These steps are crucial to ensuring that the logical resource groupings,
which will make up the segments, are accurate in their lines of separation and there are
no “bleed points” through which sensitive data could be lost.
Temptation to skip these early steps is often driven by a desire to “become compliant”
sooner, to demonstrate faster forward progress, or to relieve the discomfort of feeling
overwhelmed by the task at hand. Yet, it is impossible to properly segment a network
without first understanding the network composition in its entirety. By dedicating the
necessary resources to the inventory and risk assessment steps, an organization can
expect a smoother transition to an effectively segmented network.
About this Document
Author: Eli Keimig
Position: Chief Technical Officer & Executive President at DataPrivia, Inc.
Authored: May 2, 2014
DataPrivia & Network Segmentation
DataPrivia works directly with companies and their IT staff to complete a top-to-bottom
inventory and risk assessment of all IT systems and services. Based on the data gathered
in these initial steps, DataPrivia creates data flow maps to inform decision-making when
creating logical network segments for those assets discovered. DataPrivia then develops
a road map and helps organizational staff configure firewalls and network devices and
implement the other controls necessary to successfully migrate the discovered IT assets
into the appropriate network segments as efficiently, quickly, and accurately as possible.
Download
Related flashcards
Computer security

25 Cards

Create flashcards