How Segmentation Controls the Rising Tide of Network Threats
Trying to prevent network intrusions with conventional perimeter defenses sometimes feels a bit like trying to dam a river with chicken wire — there are way too many holes to plug.
For decades, organizations have focused on perimeter security measures to prevent intruders from accessing the network. While that’s still important, it’s no longer entirely effective. Today, organizations must punch holes in the perimeter to accommodate increasingly distributed users and resources. They must support inside-out access for employees using cloud services, as well as outside-in access for remote and mobile users requiring network resources.
This operating model enables a wealth of benefits, but it also creates a markedly expanded attack surface for malicious actors to exploit. Once attackers gain a foothold through one of these gaps, they may be able to move unrestricted through the network to compromise more devices and applications.
This makes network segmentation an increasingly critical security measure. As the name suggests, segmentation is a technique for breaking up the corporate network into smaller, isolated parts in order to prevent the unchecked spread of malware.
An Evolving Technique
Segmentation is not a new technique. Some organizations used a similar concept in the 1990s to prevent collisions on shared ethernet segments. By the early 2000s, Internet hosting services commonly used VLAN segmentation to separate customer traffic.
There is renewed interest in the technique these days as remote work creates new entry points into the IT environment. Cybersecurity experts say that more than half of all attacks target remote users’ endpoint devices.
The main issue is that traditional perimeter security measures such as firewalls are designed to control north-south traffic that enters and exits the network. They generally can’t see east-west traffic moving laterally from server to server within a network.
Ransomware and other threats exploit this weakness. Once attackers infiltrate the network — usually through phishing or social engineering — they can see and access everything within the network. Such attacks may go undetected for weeks or months, during which time the hackers can jump from workload to workload to harvest credentials and conduct reconnaissance.
Segmentation won’t stop an attack, but it dramatically restricts its ability to spread. Using bridges, routers and switches to create isolated network segments, segmentation can contain the damage to a single network segment.
Facilitating Zero-Trust Security
The ability to control the flow of network traffic and restrict unauthorized access makes segmentation a core element of zero-trust security. The zero-trust model assumes all access attempts are malicious until the user is authenticated and the device is validated. In his recent executive order on improving the nation’s cybersecurity, President Biden mandated that federal agencies implement network segmentation and zero-trust security within six months.
Segmentation is an essential practice for wireless networks. Many organizations allow guests to connect to the Wi-Fi network for access to the Internet, but this creates security risks. Isolating guest Wi-Fi from the Wi-Fi network for workplace productivity limits the spread of threats and ensures that guests can’t access sensitive company resources. Many companies also use the guest network to isolate Internet of Things devices that are notoriously vulnerable to malware attacks.
Segmentation also delivers significant compliance capabilities. For instance, the Payment Card Industry Data Security Standard (PCI DSS) requires organizations to isolate cardholder data from the rest of the network. Segmentation also supports PCI DSS requirements for the use of multifactor authentication.
The days of the impenetrable network perimeter are gone forever. We’ve created all sorts of holes to permit revolutionary ways to access and use data. In the process, we’ve also created openings for sophisticated new threats. Segmentation can’t close all those holes, but it can isolate the threats. Contact us to learn more about using this technique as part of a zero-trust security model.