Applying strong network segmentation to create a “defense in depth” strategy for your organization can provide many benefits. From slowing down attackers, to limiting the scope of a data breach, to making it easier to implement other data security policies (such as a policy of least privilege), network segmentation can be invaluable to your cybersecurity strategy.
However, what is network segmentation? More importantly, how do you create it in an effective and reliable manner?
To help you better protect your organization from modern cyber threats, here’s an explanation of this cybersecurity concept, as well as a few network segmentation best practices:
As noted by Tufin in a whitepaper on the subject: “Segmentation is the division of an organization’s network into smaller and, consequently, more manageable grouping of interfaces.” To put it in other words, network segmentation is, at its core, the practice of taking a network of connected assets and isolating each one to increase security and manageability.
One of the major goals of network segmentation is to limit the scope of the damage done by any given attack on an organization’s network—and most especially those that arise from insider threats. Without strong network segmentation, any threat that gets past the perimeter defenses could affect the whole network.
So, how can create defense in depth with a segmentation strategy? Here are a few network segmentation best practices to help you out:
While isolating the individual assets on your network is an excellent cybersecurity strategy, there is such a thing as too much segmentation. When a network is too heavily segmented, it can be harder to manage and even affect the network’s performance—which impacts employee productivity.
Locking down each endpoint in the network with the heaviest possible level of restriction might make the whole network more secure—but it would be far too resource-intensive and impractical for most organizations.
So, your defense in depth strategy should take into account how important each resource you’re isolating is, how sensitive the data and systems on that endpoint are, and how much network traffic that resource is expected to handle. Doing so can help you balance the weight of the security you apply against the value of the resource.
You cannot properly isolate and protect what you don’t know you have. Regular network audits are a necessity for any defense in depth strategy. Otherwise, you run the risk of missing some endpoints and connections on the network—creating security gaps that an attacker might be able to exploit.
Conducting frequent network audits to identify any new assets that have been added to the network is one of the most effective network security best practices for closing security gaps in your organization. So, be sure to carry them out frequently.
When preparing to enact a network segmentation strategy, it can be helpful to not only audit all of the data on the network, but to consolidate similar resources and data on individual databases. This helps you to enact a policy of least privilege more easily and protect extra-sensitive information more readily.
For example, say you have customer data that only needs to be accessed by a very small number of people in your organization. Rather than having that data sitting on dozens of workstations, it would be better to consolidate all of it onto a single, well-protected database to increase security.
This takes fewer resources than trying to protect dozens of endpoints and allows you to apply stricter protections without placing as much of an impact on your overall network performance or user experience.
When defining which resources are “similar” for the purposes of consolidation, it can help to categorize the data both by type and level of sensitivity.
Most organizations partner with different vendors to meet their various needs. From HVAC repair vendors, to supply chain vendors, to vendors for specific software licenses, there’s no end to the list of specialists that an organization might contract for services. While not every vendor needs access to your organization’s backend, some might need to access your systems to render services.
When creating access portals for outside vendors on your network, it’s important to lock them down as much as possible and to only provide access to the resources they need to fill their function for your organization. This helps to limit the potential impact of a security breach in the vendor’s organization.
For example, if the vendor is breached, and has unfettered access to your systems, then the attacker might be able to breach your network as well. However, if the vendor’s access is restricted to only a few systems that are isolated from the rest of your network, then the damage isn’t as likely to be severe.
The above list only covers a few of the best practices for network segmentation. For more information about how to protect your organization from cyber threats, check out our resources page!