What Is Network Segmentation?
Network segmentation is the process of controlling network traffic to limit the risk of cybersecurity breaches. Segmentation is a critical security concept: it reduces your attack surface area by creating barriers between valuable data in your organization.
This means that if one area of your organization is breached, attackers do not have unrestricted access to all of the data held in your organization. For example, if you are a healthcare organization with multiple branches, the accounting department should be blocked from accessing sensitive healthcare records. This means if an employee in this department is breached or infected with ransomware, the attacker would not be able to access any confidential data. Not only does this make your network more secure, it ensures you comply with relevant frameworks like GDPR, ensuring that PII is protected.
Organizations should be able to manage and control their network segmentation policies to limit traffic flows by type, source, destination, and many other options. Network admins should be able to edit and enforce these segmentation policies.
Traditionally, hardware-based technologies placed inside branches have been used to enforce network segmentation policies. These include network firewalls and configurations on network equipment. Today, network segmentation is more commonly associated with software-defined access technologies, which uses traffic tags to segment and group network traffic.
This new category of network segmentation solutions also encompasses microsegmentation technologies, which provide granular network access controls based around principles of least privileges and zero trust. For example, in a healthcare setting, this may include configuring policies to govern data sharing between endpoint devices to help reduce the risk of data breach and ransomware attack.
What Is Zero Trust Segmentation?
Zero Trust as a concept was first coined by John Kindervag, a Forrester analyst in 2010, with the basic premise that organizations should seek to, wherever possible, continuously verify and never trust network connections, assuming a breach has already occurred.
It’s important to note that Zero Trust is a security philosophy, and not a static set of products with a consistent feature set. Segmentation is one aspect of Zero Trust, but not the whole picture. Zero Trust is also associated with the identity management space, and remote access.
With that said, segmentation is a key pillar of a Zero Trust strategy. When assuming a breach has occurred, it is important to throw up as many barriers as possible between the breached endpoint or server, and your organizations’ important data.
As organizations move away from traditional network approaches towards dynamic and hybrid cloud environments and segmented cloud applications delivered via API integrations, traditional network segmentation approaches have become very difficult to manage. This has led to the emergence of a new category of software-defined micro-segmentation technologies which are designed to help organization move to a Zero Trust model.
Explaining Zero Trust Segmentation
One of the leading providers in the Zero Trust segmentation space is Illumio, who have featured in both the Forrester Wave for Zero Trust and Micro-segmentation. In a recent interview with Expert Insights, Illumio’s’ co-founder and CTO PJ Kirner explained the concept of Zero Trust with the following metaphor:
“Think about how we build submarines. How does the submarine have physical resiliency in its environment? Well number one, it has redundancy. But the other thing is that it is built with a set of watertight components inside so, when there is a breach—and they plan for the inevitability of a breach—they can seal off the watertight compartment. And the breach might have an impact, but the submarine doesn’t sink.”
“That’s what Illumio does with Zero Trust Segmentation. It’s like putting those watertight walls up inside the submarine, so that your organization has cyber resiliency. You still need that outer wall; you still need to be able to defend yourself. But having that way to contain something so it does not become a disaster is what we’re focused on and is where Zero Trust Segmentation comes into play.”
Why Is Zero Trust Network Segmentation Important?
As Kirner explains, Zero Trust Network Segmentation is important because it ensures organizations have policies in place to prevent hackers and malware from moving laterally within an organization, once they have breached network defences.
Network segmentation technologies also provide valuable data to network admins. It allows admins to identify where network traffic is coming from by monitoring traffic flows between applications. This enables the creation of micro-policies and security automations to reduce your attack surface and contain future network breaches.
Zero Trust Network Segmentation is most important for enterprise organizations, especially those with complex and hybrid network environments. Example industries include aviation, government agencies, financial services, healthcare, and retail organizations.
What Are The Benefits Of Network Segmentation?
Reduce Attack Surface
With network segmentation in place, your attack surface is lowered as each network system can be walled off from other, more vulnerable systems. Your most secure network systems, that contain the most sensitive data, can be entirely walled off from harmful internet traffic.
Network segmentation will also ensure internal users can only access the network systems they need to for their roles, enforcing the principles of least privilege and reducing the risk of account compromise leading to harmful data breaches. Combined with authentication and identity management technologies, this can be a powerful step toward implementing a Zero Trust security model.
Effectively Contain Breaches
Network segmentation contains breaches by putting secure barriers in place between different traffic flows in your network. This means that a ransomware attack in one area of your network could not spread to different network systems, and, in many cases, can be contained and remediated against very efficiently.
Ensure And Strengthen Regulatory Compliance
Network segmentation and Zero Trust segmentation approaches are highly recommended by many regulatory and compliance bodies and mandated in many regulated industries. Implementing network segmentation policies is an important way to strengthen and demonstrate regulatory compliance.
