Segmentation Done Right Part 1 of 3
When I was in middle school standing in the cafeteria lunch line, there was always that feeling of nervousness before the spaghetti or tuna casserole(or aloo tikka masala if you are familiar with the Indian school lunch trays) hit my lunch tray with its unique thud. After the entrée, I would shuffle my feet to the left to receive my overcooked peas and carrots. Last but not least was a big scoop of extra syrupy canned peaches. Ah, the joys of being in 7th grade. The good thing about public school lunch was that at least the lunch tray was compartmentalized and my noodles only caught a little bit of that extra sugary-extra sweet peach syrup. Segmentation, what a great idea.
Contain the Damage
Reminiscing about my school noodles made me think about the benefits of network segmentation which is the division of a network into smaller more manageable groups. These zones can be separated from each other with controls in between to help control and keep zones safe and secure. If for example, there was a cyberattack and a device is compromised, the segmentation will keep the damage from spreading as the damage is confined to a specific zone or segment. Think blast radius control. Unusual lateral side to side movement is also kept in check when a network is properly segmented.
It sounds simple enough, separate the network into its own compartment to limit the spillover effect and zones can readily consist of VLAN/subnets, groups or segments, hence the name. In terms of application, one can deploy network segmentation using existing network infrastructure or even via deploying new next-generation firewalls into specific zones. The National Institute of Standards and Technology (NIST) in its framework for zero trust architecture recommends segmentation for enhanced identity governance.
Factors to Consider
Getting started with segmentation takes a little bit of thought. How big will the zones be? How many devices of similar types would be in each zone? What about the regulatory environment? The regulatory side can have a say in how things are portioned as well. For example, if your business deals with payments the PCI-DSS standard will state a clear demarcation between payment card authorization and point of sale. In hospitals, one would want to keep life-saving equipment separated from the IT devices.
So how does one begin and are segments rigid in a "set it and forget it" way? How can segments evolve as network requirements change? How is it going to adapt to changing business policies? It helps to start off the right way with a segmentation project by considering the various enterprise departments and the level of fine-grained control required. Furthermore, consider the zones of vulnerability, as plenty of exploits and attacks can occur from inside the network. Departmental segmentation can be done with firewalls but if you want to get more granular control, it very quickly amounts to deploying a large number of small hardware firewalls everywhere on the campus, which is not practical nor cost-effective.
Network segmentation by itself is a great methodology, but if your organization does not know how your applications communicate with your endpoints, then you may risk having incoherent policies at your control points, which reduces the solution’s effectiveness and usefulness of segmenting. Also, segmentation applied without precision, can even impact the day to day operations of a company, so something to consider when it comes to implementation. The other factor to consider is the growth and expansion of your network as you want a segmentation method that is scalable with your business requirements.
Slice and Dice Your Way to Segmentation
When you use a platform from Ordr, you can get as granular as you like. Beyond buildings, sites, departments, and floors, one can segment a network via business requirements and even perform grouping by device functions, even for the same class of devices. For example at a casino, we can separate all the cameras into various groups based on their function, physical surveillance cameras for regulatory compliance (watching the slot machines) vs. general use security cameras observing foot traffic. High-risk assets vs. mission-critical assets are another way to consider the segmentation process.
Segmentation similar to the lunch tray can work great when it's done right. There is no spillover or cross-contamination and things are in a nice tidy order. Next week we will discuss the limitations and shortcomings of existing approaches and dive deeper into modern methods for segmenting the network the right way.
Read Segmentation Done Right - Part 2