The sheer size of modern corporate networks makes it increasingly difficult for companies to manage the complexity that comes alongside it. As a result, cybercriminals are ideally positioned to take advantage of this increased attack surface, leaving businesses scrambling to safeguard their networks from targeted and automated attacks that penetrate the network by capitalising on overly permissive access policies and exposed vulnerabilities.
In addition, as organizations become more agile, the frequency of change requests adds a degree of difficulty that challenges an organization’s existing resources and ability to maintain security.
Whilst network segmentation may not be a new approach, it is by no means outdated. However, the process of grouping interfaces into separate zones takes on a new meaning with the advent of cloud and microservices. Effective network segmentation, as well as its implementation and long-term maintenance, is a major challenge for many companies – particularly in light of today’s complex networks and rapid adoption of the latest technologies.
So, how can companies guarantee the effective implementation of network segmentation practices, while considering the intricacy of a corporate network?
Start with the essentials
All companies should start by asking the key question, “What do I need from my network, and how should I divide it for manageability?” To begin with, most segmentation strategies isolate access to individual departments and further to within their own subsection or unit, which is entirely logical and therefore a necessary step towards ensuring that sensitive data does not find its way into the wrong hands.
After dividing all the corporate networks into individual segments, often called “zones”, IT managers will need to ensure the provisioning of minimal required access between those zones or applications. Above all, highly sensitive areas should be proactively monitored to identify if unnecessary access can be removed.
Continuation: the key for progress
The commonly-coined phrase “security is a journey, not a destination” certainly applies here. Network segmentation is not a one-time project, but an ongoing process that requires continuous maintenance. Networks are constantly in need of essential updating, whether this is driven by new business requirements or new devices being added to or removed from the network. An ongoing stepwise approach is best. At each of these steps, you can review, revise, and continue the momentum towards optimal segmentation:
- Monitor network traffic within each segment to gauge normal levels of activity.
- Reduce access to particular segments via firewalls to minimise exogenous threats and reduce the spread of successful attacks.
- Separate data assets by regulatory mandates, providing more visibility into what the protected assets contain, and what measures need to be taken to reduce risk.
- Continuously monitor for violations and threats to the network so changes can be made in real-time and bake risk analysis into the change management process.
- Conduct regular internal audits to ensure prior changes in firewall policy haven’t introduced risk.
Microsegmentation: stay one step ahead
Depending on the maturity and the complexity of a company, as well as its business requirements, microsegmentation can manage network access through a more dynamic and application-specific approach.
When using microsegmentation, each individual segment is broken down even further – as far down as the application and the user levels. In each of these cases, access to data is only granted to a pre-defined security group of users that are carefully managed by the security team. The group can be easily modified to reflect changes in personnel, and access is provided between the specific security groups and the specific applications. Rather than treating networks as a broad collection of users, microsegmentation allows you to employ security in a more detailed way from the start.
Microsegmentation can be used with physical networks, software-defined networks, and public cloud to manage advanced infrastructures by implementing access controls at the start.
Maintaining this desired network segmentation is where the difficulty lies, given the complex nature of security policies, alongside the fact that these constant change requests are now seen as the norm within most companies.
Regardless of where your organization stands on the network segmentation journey, comprehensive solutions that address the hybrid cloud and heterogeneous networks are required, thereby enabling IT security teams to effectively maintain a segmentation policy for their organisation.
An automated policy-based approach for segmentation
Although achieving and maintaining effective network segmentation is a difficult journey, the security of your organization often depends on it. To do so, the best comprehensive solutions leverage policy-based automation to achieve and manage the most complex segmentation strategies. Automation is necessary to balance security and agility while ensuring manageability to maintain segmentation over the network of today – and the infrastructure of tomorrow. However, automation is only successfully utilized through leveraging a central policy to drive all access control changes between segments and ensure access violations are identified between network zones.
Comprehensive network segmentation is as important as ever, particularly to contain potential attacks. The emergence of increased access control management, like microsegmentation, ensures security despite the increased complexity of the corporate network. Managing network segmentation through policy-based automation verifies effective access controls are applied to contain successful attacks and restrict the access of a disgruntled employee or hackers. Thus, automated policy-based solutions are a critical piece to ensure that your network defences are effectively designed, deployed, and managed now and throughout your digital transformation.
Andrew Lintell, Regional Vice President at Tufin
- Also check out the best network monitoring tools
