How Network Segmentation Limits Cyber Risks

How Network Segmentation Limits Cyber Risks

Financial managers recommend building a diversified portfolio of investments in several different companies and industries in order to reduce your risk profile. In a similar way, network segmentation limits cybersecurity risks by breaking up the corporate network into smaller, isolated parts.

In an age of increasingly distributed network resources, segmentation is becoming an essential element of network security. With more employees, devices, applications and services residing outside the corporate firewall, malicious actors have many new points of entry into critical systems. Industry analysts believe that more than half of all data breaches now stem from attacks targeting remote users’ endpoint devices.

Segmentation won’t stop an attack, but it restricts its ability to spread. Using firewalls, routers and switches to isolate network sections, segmentation prevents ransomware and other malware from propagating throughout the network. In the event of a breach or infection, segmentation can contain the damage to a single network segment, or subnetwork.

Zero Trust

The ability to control traffic flows and restrict unauthorized access makes segmentation one of the core elements of zero-trust security. The zero-trust model is designed to verify the identity of every user, validate every device connecting to the network and limit access on a need-to-know basis. According to one recent survey, 60 percent of U.S. companies have accelerated their implementation of zero-trust security and network segmentation over the past year.

Although segmentation is widely used in wired networks, it’s also a good practice for wireless networks. Many organizations need both a private Wi-Fi network for workplace productivity and a public network for guests or visitors. Restricted access privileges ensure that guests can access the public Internet but not sensitive resources on the company network. Many companies also use the guest network to isolate Internet of Things devices that are notoriously vulnerable to malware attacks.

Segmentation delivers significant compliance capabilities. For instance, Payment Card Industry Data Security Standards (PCI DSS) guidelines require organizations to isolate cardholder data from the rest of the network.

Segmentation Techniques

There are multiple ways to effectively segment a network. Here are a few of the more common approaches:

  • VLAN segmentation. This involves creating segments with virtual local area networks using IP addresses for partitioning. This is a popular approach because it allows an administrator to segment networks based on users, devices or job functions without regard for the physical location of the user or device.
  • Firewall segmentation. In this approach, firewalls are deployed at sub-network boundaries to prevent threats from spreading. Customized firewall rules determine which users or applications can cross the boundary.
  • SDN segmentation. This technique uses software-defined networking principles to switch or route traffic among sub-networks. It supports greater automation and programmability but can add complexity.
  • Micro-segmentation. This technique enables IT administrators to assign fine-grained security policies at the workload level. In this way, security persists no matter how or where the workload is moved — even if it moves across cloud domains.

For decades, network security practices focused on creating a hardened perimeter to keep intruders out. However, the traditional perimeter has been erased, with network traffic now traversing corporate data centers, cloud environments, the Internet, and wired and wireless LANs. Once attackers gain a foothold through any of these attack vectors, they can move laterally through the network, infecting more devices and applications.

Segmentation techniques provide a valuable defense by containing threats in small sections of the network. Contact us to learn more about using segmentation as part of a zero-trust security model that can safeguard your valuable network assets.


Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload
+