Trying to prevent network intrusions with conventional perimeter defenses is a bit like trying to dam a river with chicken wire — there are way too many holes to plug.
For decades, organizations focused on perimeter security measures to prevent intruders from accessing the network. While that’s still important, it is no longer entirely effective. Today, organizations must punch holes in the perimeter to accommodate increasingly distributed users and resources. They must support inside-out access for employees using cloud services, as well as outside-in access for remote and mobile users who need network resources.
This operating model enables a wealth of benefits, but it also creates a markedly expanded attack surface for malicious actors to exploit. Once attackers gain a foothold through one of these gaps, they may be able to move throughout the network to compromise more devices and applications.
This makes network segmentation an increasingly critical security measure. As the name suggests, segmentation is a technique for breaking up the company network into smaller, isolated parts to prevent the unchecked spread of threats.
The Value of Network Segmentation
Network segmentation is not new. Some organizations used a similar concept in the 1990s to prevent collisions on shared ethernet segments. By the early 2000s, Internet hosting services commonly used VLAN segmentation to separate customer traffic.
The rise of ransomware has generated renewed interest in network segmentation. According to Akamai’s State of Segmentation 2023 report, 93 percent of IT and security decision-makers say segmentation is critical to thwarting ransomware attacks.
Traditional perimeter security measures such as firewalls are designed to control north-south traffic that enters and exits the network. They generally can’t see east-west traffic moving laterally from server to server within a network.
Ransomware and other threats exploit this weakness. Once attackers infiltrate the network — usually through social engineering — they can see and access everything within the network. Such attacks may go undetected for weeks or months, during which time the hackers can jump from workload to workload to conduct reconnaissance and harvest sensitive data.
Segmentation will not stop an attack, but it will restrict its ability to spread. Using firewalls, routers and switches to create isolated network segments, organizations can contain the damage to a single network segment.
Facilitating Zero-Trust Security
The ability to control the flow of network traffic and restrict unauthorized access makes segmentation a core element of zero-trust security. The zero-trust model assumes all access attempts are malicious until the user is authenticated and the device is validated. The Biden Administration has mandated that federal agencies implement network segmentation and zero-trust security as part of a comprehensive plan to improve the nation’s cybersecurity.
Segmentation is an essential practice for wireless networks. Many organizations allow guests to connect to the Wi-Fi network for Internet access, but this creates security risks. Isolating guest Wi-Fi from the rest of the network limits the spread of threats and ensures that guests can’t access sensitive company resources. Many companies also use the guest network to isolate Internet of Things devices that are notoriously vulnerable to malware attacks.
Segmentation also delivers significant compliance benefits. For instance, the Payment Card Industry Data Security Standard (PCI DSS) requires organizations to isolate cardholder data from the rest of the network.
Conclusion
The days of the impenetrable network perimeter are gone forever. We’ve created all sorts of holes to permit revolutionary ways to access and use data. In the process, we’ve also created openings for sophisticated new threats. Segmentation can’t close all those holes, but it can isolate the threats.
Despite keen interest in network segmentation, few organizations are actually using it. The Akamai study found that just 30 percent of organizations had deployed segmentation across more than two business-critical functions. Let the networking and security experts at Verteks help you use this technique as part of a zero-trust security model.