In light of recent security breaches, where third-party credentials have been used to access entire networks, IT organizations are turning their attention to the risks that can result from basic network segmentation errors. This serves as a good reminder to us all that practicing good network segmentation is as much a hygienic best-practice as brushing your teeth -- no one loves to do it, but regular care is essential to prevent long-term harm.
In many organizations, network segmentation has been a "set it and forget it" effort, which once done is almost immediately out of date. But network segmentation needs to be managed, and policies continuously enforced to maintain the desired network segmentation.
Security is not the only issue addressed by proper network segmentation. The ability to contain network problems, improve performance, and reduce congestion are all key benefits that come from a well-segmented, well-maintained network.
Make no mistake: Network segmentation is very hard. Complex networks house hundreds of devices, and enterprises typically have complicated policies with hundreds of rules. At Tufin, we see customers with hundreds of firewalls, routers, and switches across their network, each on average having hundreds of rules per device. A typical enterprise therefore has to consider tens of thousands of rules when segmenting its network in order to maintain a security and compliance.
In addition, most organizations are dealing with dozens of changes a week to support new business applications, and users are demanding technologies like virtualization and cloud, each of which is a force-multiplier to this complexity and can impact the integrity of network segments.
It’s helpful to think of your network in zones, so you can visualize and manage your network segmentation, either manually or in an automated fashion. Consider the business drivers as you map out your zones, including compliance (e.g., the PCI Data Security Standard), industry or company-specific risks, third-party contractual requirements, and company-specific business processes. Once you have mapped this out, you can instantly see detailed insights on your network segmentation, such as what services are allowed between different network zones and zone sensitivity.
Enterprises have hundreds of applications serving multiple lines of business, which adds to the order of magnitude and complexity of any change, and must be factored in to any segmenting exercise.
For example, when an organization rolls out a new application that requires interaction with several other resources in the network, a visual map of how this application interacts with other resources can help ensure that only the business required communications are allowed, while other types of communication are blocked.
One company we work with has segmented its network into 40 zones, split based on risk assessments, business, and compliance requirements. Some of the key segmentations include separation of the development network from the Internet, and even the general enterprise network, so as to minimize any leakage of intellectual property.
In addition, organizations need to consider how they can be alerted on policy violations, so that changes made "out of band" can be immediately remediated, and administrators made aware of gaps between desired and actual segmentation. Organizations should consider obtaining the ability to visually validate that the desired segmentation is the same as the actual (or enforced) segmentation.
Recent breaches should have served as a wake-up call to those not closely watching their network segmenting policies, but they’re not the only reason to practice good network segmentation hygiene. Organizations should consider adopting a matrix approach to network segmentation in order to enable a clear baseline and set of rules for all ongoing changes.
Once this is established, they can consider enabling automation of these rules and policies as much as possible, in order to reduce the risk of policy violations going unnoticed for days, weeks, or months.