What is Network Segmentation?
“Network segmentation” refers to the physical and logical separation of IT assets and resources – such as data, applications, servers and users. Isolating a network into segments reduces the size of the attack surface by limiting the IT assets that are accessible from each segment. The resources connected to a segment, regardless of their nature – physical, virtual, or human – are prevented from interacting with (or even being “seen” by) resources on other network segments. At its most fundamental level, network segmentation creates and maintains logically grouped subsets of resources that are isolated from all other, implicitly untrusted, groups – even when those other groups are part of the same business organization.
Why is Network Segmentation Important?
Emerging information about recent security breaches illustrates the critical role network segmentation has in protecting any organization’s IT assets. Network segmentation allows you to isolate and apply segment-specific policies to, for example, your Cardholder Data Environment (CDE). It enables organizations to apply more granular controls (in this example, PCI DSS-based policies) to limit potential exposure and reduce risk. The ultimate goal of network segmentation is to protect your most sensitive data from unauthorized access or disclosure.
In environments where network segmentation is not practiced, the organization’s entire network is the potential attack surface. In a “flat” (un-segmented) network, an individual with malicious intent need only compromise a single device on the network. That device becomes a launch pad from which the entire network can be attacked. Once inside, the attacker can “see” and access all other network-attached devices. On a segmented network, only the devices on a particular segment are accessible to authorized and – in the case of a breach, unauthorized – users.
With proper network segmentation in place, an attacker cannot access resources across the entire network, thanks to restrictive access control lists and other policies limiting or preventing interaction between segments. In the earlier CDE example, an attacker breaching another segment would not be able to get to the CDE segment. Those IT assets would remain protected behind additional layers of firewalls and security. Ultimately, network segmentation plays a key role, if not the most important role, in ensuring that your confidential data remain confidential.
How is Network Segmentation Achieved?
The first step in any network segmentation effort should be an inventory of all IT assets and the data that they contain, followed by a risk assessment of those assets (physical and virtual). These steps are crucial to ensuring that the logical resource groupings, which will make up the segments, are accurate in their lines of separation and there are no “bleed points” through which sensitive data could be lost.
Temptation to skip these early steps is often driven by a desire to “become compliant” sooner, to demonstrate faster forward progress, or to relieve the discomfort of feeling overwhelmed by the task at hand. Yet, it is impossible to properly segment a network without first understanding the network composition in its entirety. By dedicating the necessary resources to the inventory and risk assessment steps, an organization can expect a smoother transition to an effectively segmented network.