In a few of my recent posts, I’ve talked a bit about using defense-in-depth strategies featuring network segmentation as a core part of a strong cybersecurity posture. But, what is network segmentation, and how does it benefit your business?
A Quick Explanation of Network Segmentation
Network segmentation is, to put it as simply as possible, the practice of dividing a larger computer network into several small subnetworks that are each isolated from one another.
While many cybersecurity experts extol the benefits of keeping the different parts of a network isolated from one another, it seems that few organizations have fully implemented the practice. In fact, according to data cited by CIO, “although virtually all information technology professionals believe network segmentation is an essential security measure, less than one-quarter of organizations actually implement it.”
Network segmentation is also a key part of compliance with PCI DSS (payment card industry data security standard) requirements. The PCI Security Standards Council calls for the use of network segmentation to be used to help isolate all system components that are used to store, process, or transmit cardholder data or other sensitive authentication data.
How does network segmentation help secure payment card data for PCI DSS compliance? Here's and example: if another part of the network is breached, sensitive cardholder data can remain secure, since a breach of a random point of sale system will not compromise databases with payment card information. If there was no network segmentation, there would be nothing separating the compromised system from the cardholder data, allowing attackers near-immediate access without having to breach further security measures.
What Are Network Security Zones?
A term that you might often hear when discussing firewalls and network segmentation is “network security zone.” This is a term that can be used to define a specific interface/asset or group of assets on a network to which a common set of security policies and protections are applied.
For example, if you have a database on your network that has tighter access restrictions on it than other assets on the network, then that database would be its own network zone. Similarly, a group of point-of-sale (POS) terminals with the same access controls in a store could be considered a network security zone if they were grouped together and used the same security policies.
The practice of network segmentation helps to break up a network into several distinct network zones. Network segmentation relies on the use of segmentation controls.
What Are Segmentation Controls?
The simple definition of a segmentation control is any device, process, or system that can be used to create separate network zones to isolate assets on the network. For example, internal firewalls are a common segmentation control because they can be used to filter traffic between two separate nodes on a network.
Another common network segmentation control is an access control list (ACL). ACLs are the permissions that are attached to an object on the network which specify who can use the object and what the object is allowed to do. These can be highly restrictive, but effective for isolating assets on the network.
What is Segmentation Testing?
It’s not enough to simply apply segmentation controls to the network and assume that they’re going to keep sensitive data and systems properly isolated from illicit access attempts. Network segmentation tools need to be tested to verify their validity and efficacy against intrusion attempts. This is where segmentation testing becomes important.
Segmentation testing is exactly what the name implies—a form of network security testing designed to check how well existing segmentation controls are isolating different network zones. This type of testing is often carried out during larger penetration tests.
By stress testing segmentation tools, organizations can verify if their segmentation meets critical security standards (such as PCI DSS).
What Are the Benefits of Network Segmentation?
One reason why many businesses might not have set up network segmentation is that it can be a chore to set up—requiring detailed information about the network’s infrastructure so segments and control points can be created without leaving any gaps or workarounds to bypass the security, strong security controls, and major reworks to both the network architecture and the business processes that rely on it.
However, the benefits of segmenting your network can massively outweigh the challenges. Some key benefits of network segmentation include:
- Slowing Down Attackers. One of the biggest benefits of using network segmentation is that it can buy you extra time during an attack. If an attacker successfully breaches your network, and that network is segmented, then it will take some extra time for the attacker to break out of that segmented portion of the network to get at the resources they really want.
- Increasing Overall Data Security. By segmenting networks, it becomes easier to protect the most sensitive data that you have on your internally-facing network assets. The creation of a layer of separation between servers containing sensitive data and everything outside of your network can do wonders to reduce your risk of data loss or theft.
- Enabling Implementation of a Policy of Least Privilege. Having strong network segmentation makes it easier to restrict user access to your most sensitive information and systems. This can be invaluable for protecting that information if a user’s access credentials are compromised—or abused. In other words, network segmentation helps you to protect your business against insider attacks as well as attacks by outsiders.
- Reducing Damage from Successful Attacks. Because strong network segmentation can help keep attackers from breaking out of a system before you’ve contained the breach and cut off their access, it can help to minimize the damage caused by such breaches. There’s a world of difference between the time, money, and effort it takes to recover from a breach where the attacker was only able to compromise a single workstation and a breach involving thousands of financial records across your entire network.
I cannot stress enough the importance of creating a defense-in-depth strategy for your business that leverages strong network segmentation and numerous cybersecurity tools to reinforce that segmentation.
To get help creating a cybersecurity plan for your business to follow, or if you want to learn more about how you can segment your network to increase security without impacting your business, then contact Compuquip Cybersecurity! We have years of experience in helping enterprises implement new cybersecurity architectures that help protect their business interests.