Best Practices in Network Segmentation for Security
Implementing better network segmentation to improve security is a significant project for network operations, data center ops, and security teams. From dividing IoT from IT using micro-segmentation to avoiding over-segmentation, we call out best practices for maximizing success in this task.
• The segmentation requirements for an enterprise call for a highly customized design.
• Avoiding either over-segmenting or under-segmenting the network is achievable but requires a formal project.
• Outsourcing segmentation project planning tends to result in poor outcomes. Too often, trust is placed in less trusted components, often resulting in segmentation projects being delayed or restarted, or with results that place the enterprise at undue risk.
• Segment based on data sensitivity, location, and criticality.
• For virtualized environments, change the technology, but not the security principles.
• Create a segmentation architecture that will accommodate short-term technology changes, and will best allow for housing new resources, applications and data within the existing framework.
• Create zones to proactively house Internet of Things (IoT) and operational technology (OT).
Strategic Planning Assumptions
In 2017, more than 70% of segmentation projects will have their initial design rearchitected because of over-segmentation
Through 2018, the greatest delay for segmentation projects will be due to remedying the overreliance on less trusted segmentation mechanisms in the plan.
The topic of network segmentation has driven a high volume of client inquiry for Gartner in 2016, across security and networking analysts.
In security, network segmentation is concerned with dividing up the network into zones to aid in compliance, security, risk and maintaining control.
Early examples were the demilitarized zones (DMZs) created as buffer zones between the internet and internal resources. As networking and technology expanded, it was recognized that having enclaves or zones for assets requiring protection at a different level than the rest of the network was a foundation means to provide better security, rather than custom or duplicative safeguards for each endpoint and server.
Later, this was expanded to having “defense in depth” within the data center for web, application, and data servers, or between production facilities, such as SCADA and the rest of the enterprise.
Segmentation activity is significantly on the increase now in response to a number of drivers:
• PCI compliance. Credit card and payment information need to be housed in a zone distinct from the remainder of the network, including compliance requirements.
• Increased threat complexity. Slower and more complex attacks are defended against via greater defense in depth, and more diligent separation of valuable assets and activities.
More attacks are now “multivector” and will not be stopped via a single safeguard, but rather through a collection of them.
Segmentation adds this separation and defense in depth, which is needed to contain attacks and limit the impact of a successful exploit.
Gartner’s golden rule of secure architecture is that no compromise of a single element should compromise the whole application stream or network.
• Data center virtualization and software-defined data centers. Motile and evanescent servers have challenged the preplanned security zones of the prior era of the data center that were anchored with physical appliances. Cloud adoption, especially infrastructure as a service (IaaS), software-defined networks (SDNs) and network function virtualization (NFV),
are challenging how data center networks are designed and operated. Organizational challenges
emerge as groups previously not responsible for networking, such as data center ops and server ops, take on networking embedded in software, and not necessarily as an extension of the WAN.
• Technology change. Web and application technology changes such as microservices are driving more ad hoc connections and more lateral or east-west communication between servers in the same tier.
• OT and IoT. OT and IoT devices are often more vulnerable, and OT devices will often be more critical to the enterprise. Manufacturing, healthcare and critical infrastructure will often have segmentation issues as they increasingly are pressured to form connections between their IT and OT systems.
• Global and merged operations. As enterprises enter new regions or engage in a merger or acquisition, new requirements are found for comparing the network into zones.
Although “network segmentation” is used as a general term, there are specific terms with meaning:
• Zone: Group of like resources and data, requiring similar protection, collected together.
• Isolation: Separation of zones, preventing Interzone communication.
• Segmentation: Separating zones, but allowing specific communication and operation. Segmentation is also commonly used to collectively describe segmentation, isolation, and zoning.
The analysis of client inquiries, technology trends, and forecast of near-term adoption trends
produces some clear and actionable best-practice recommendations:
Network segmentation projects are often triggered by an assessment of the network as being overly flat. Flat networks do not have a defense in depth, and raise the impact of a successful attack because “all your eggs are in one basket.” The most common mistake Gartner sees being made in response to remedying a flat network is to
over-segment, or create too many zones.
A principle of network segmentation is to group like resources together, to minimize security overhead: Build a fence around the car park, not a fence and gate around every car.
The rationale should be based on questions of “Is there a strong security case to keep these resources apart?” The extreme worst case is to segment each resource into a separate zone, with the likely consequence being “many doors propped open” in order to facilitate normal application and user conduct, making security operations more difficult and spending money and audit time on safeguards that provide no value.
There are also general networking performance and resiliency reasons to segment, such as limiting the blast radius of an outage to protect VoIP users for e911 compliance, or to separate among services with differing SLA metrics or quality of service targets.
Most successful segmentation plans have few zones, with clear operational and data sensitivity separation. For example, a university will not have de facto separation between faculties, but rather will start with all faculties in a single zone and then create new zones for exceptions only, such as one dealing in medical research where patient data will be handled, or government research contracts requiring protection contractually.
A campus health clinic would be a separate zone (and may have subzones within it for medical devices), and there may be a HIPAA zone that the previously mentioned health research could share. For a retail chain, all U.S. payment kiosks could be a single zone.
Goldilocks is the patron of successful network segmentation — not too much, not too little, but just right for your enterprise.
Too few zones, or having a flat network, is the most common trigger for a network segmentation projects and is often assessed via an audit finding. The causes of flat networks are many and include data center virtualization, mergers and acquisitions, cost optimization, and changes in network equipment vendors.
The threat and technology landscapes have also changed. Threats are more commonly utilizing more advanced attacks, and the absence of defense in depth was not as serious in years past. Segmentation inside the WAN was seen almost exclusively in the verticals with the lowest acceptable risk, such as the military and critical infrastructure.
With more advanced technology and threats, the segmentation and isolation designs also must be more advanced. Gartner often sees flat networks persist where segmentation was considered but abandoned, because the task was seen as too onerous or expensive (often due to over-segmentation approaches). Contact Musato Technologies to learn more about our ICT services developed to empower businesses.
An article first published by FortiGuard Labs