Network segmentation security: How to avoid IT complexity

Network access points have greatly expanded today with more remote workers, online services, and cloud applications. And while these advances are making virtual business interactions possible, today’s hybrid and multi-cloud IT environments are increasing the attack surface for bad actors. As a result, security protections must tighten, and many executives are turning to SASE strategies, Zero Trust security architectures, and network segmentation as proven approaches to reduce the risk of remote work. As IT leaders create more elaborate IT environments, the secret to success is to achieve the right amount of segmentation while not compounding management complexities.

What is network segmentation and how does it work?

Network segmentation is the practice of splitting a network into segments or subnetworks. These isolated zones are Layer 3 virtual networks with distinct benefits. With fewer hosts, local traffic is minimized. Subnets help isolate traffic, group similar traffic types, and separate traffic according to user groups, application, and information sensitivity. Physical or virtual appliances can then be used to enforce these segments using firewalls and virtual routing tables. Segmentation is a central practice for Zero Trust security strategies and a core element used in Zero Trust Network Access, as well as SASE frameworks.

What are the security benefits of network segmentation?

After an initial network infiltration has occurred, the situation can quickly go from bad to worse as hackers progressively move toward high-value information. Segmentation creates “walls” that can help limit that progression as it compartmentalizes the IT infrastructure into distinct isolated zones for more effective data safeguarding. Creating layers of protection with incremental gates, these zones help limit the attack surface for hackers and strengthen the enterprise security posture. As one of the strongest security strategies, segmentation improves:

• Access Control: VLANs segregate visitor access, allowing only those with permissions to access information
• Containment: Compartments create more security “walls” or barriers that contain security threats. In the event that a network is compromised, hackers are less likely to pivot into other networks and subnets. This confines the effect, limits the spread of the attack, and reduces risk.
• Security Monitoring: With each subnet generating its own flow data, security monitoring also becomes segmented, because monitoring is applied to each subnet individually. This allows for more granular visibility into the behavior of each subnet. Plus, it allows security policies to be applied to each subnet, making security rules more relevant and specific to the unique needs of each environment.

What’s driving more network segmentation?

Many factors in the world today are increasing the need for highly segmented environments.

Rises in Ransomware, Data Breaches and Cybersecurity Threats: With 64% of companies having experienced some kind of cyber attack, the advancing threat landscape is forcing executives to focus on proven security tactics and reach for every strategy in the security toolbox.

Business and IT Trends: Remote work and emerging technologies are also big drivers. Today, slicing is being used especially for 5G networks, so one network can be used to safely serve multiple business purposes. Cloud migration and the rising demands of more cloud applications and services call for more segmentation. IoT, remote work, and the proliferation of devices expanding the network edge, including bring-your-own-device policies are factors. Guest Wi-Fi often calls for guests and known users to be divided. Even everyday business activities may need to be segmented for safety.

Government Regulations and Compliance Requirements: Both new and existing regulations, including payment card industry standards, trigger leaders to segment networks.

How should I segment my network?

Although every enterprise will take their own approach for designing segmentation policies, these lists serve as samples for both basic and advanced network segmentation. Remember, there’s no perfect number of network segments–it’s best to let your business needs lead the way. On average, however, Masergy’s clients have six distinct network segments.

Basic Network Segmentation

Most network architects focus on the larger network zones as a good first step. These include:

• Corporate private network
• Data center
• Disaster recovery
• Branch locations

Advanced Network Segmentation 

More advanced, micro-segmentation approaches would include the list above and then add to it with segments such as:

• PCI Servers: for compliance purposes
• Cloud infrastructure: for running on-premise software inside a service provider’s infrastructure
• Departmental subnets: for separation by usage, access control, and data sensitivity
• Supply chain extranet: for controlled access for partners and vendors
• Mergers and acquisitions: for separation during a gestation period
• Research and development and test/development: for testing applications and emerging technologies
• Nearshore and offshore: for managing processes where security concerns are elevated
• Guest Wi-Fi: for managing low-priority traffic that should have no access privileges
• IoT and bring-your-own-device (BYOD) policies: for securely managing an infinite number of connected devices that are beyond corporate control

What challenges can come with network segmentation?

Segmentation is known to cause complexity in the IT environment, creating operational and logistical barriers. These three challenges are common:

Technology Limitations: Rigid legacy network systems and multiple technology stacks create interoperability issues, making it difficult to manage a variety of segmented environments, gain clear visibility across all, and facilitate security monitoring

Poor Management: Segmentation is inadequately documented and not managed from a central place or repository

Operational Misalignment: The network segmentation strategy is designed without consideration for security operations, which can cause friction among NOC and SOC teams.

How do you segment to avoid IT complexity?

With the right strategies and tools, IT leaders can achieve an optimal amount of network division without creating management headaches for employees.

Segmentation Principles: Three Things to Consider

• Prerequisites: A smart strategy leads with business needs, which means enterprises must have a deep familiarity with both their security needs and sensitive data. This requires many IT leaders to first chart where data is stored, who accesses it, and how it flows across the network. Data mapping exercises are a good first step.
• Strategies for Segmentation: Business needs should also dictate which criteria are used. Some samples include diving the network by:
  • User group
  • Data sensitivity type
  • Application
  • Security initiatives (such as government regulations, etc.)
• “Sweet Spot” Segmentation: It’s possible to have too few segments, which fail to deliver security benefits. But perhaps even more challenging is too many segments, which hinder user productivity and manageability as the enterprise grows. Finding the sweet spot is key.

Network segmentation security: Three must-have tools

1. SDN Removes Constraints: Laying a foundation for segmentation, the network infrastructure must be agile. Software defined networks (SDN) eliminate the operational constraints around the concept of creating and managing a limitless number of networks, because they allow IT teams to quickly spin-up and spin-down virtual environments using a variety of access methodologies. Plus, these networks typically support multi-VRF security monitoring, which is used to evaluate the unique behavior of each segment.
2. Deep Visibility Simplifies Complexity: Deep WAN visibility is essential. IT teams and security monitoring tools require dashboards with granular insights as well as real-time data and a complete history of all network activity, so alerts can be validated to confirm the type and severity of the threat.
3. Machine Learning Aids Security: When it comes to securing highly segmented environments, machine learning and behavior analytics shift from the nice-to-have category to a must-have priority. Modern analytics rapidly navigate any network labyrinth, pinpointing abnormal traffic patterns. Also look for a fully managed security service capable of ingesting and monitoring multi-VRF dataflows.

Masergy unites all of these capabilities into an SD-WAN solution, providing segmentation capabilities at no additional charge and exporting security monitoring data from segmented networks into a comprehensive managed detection and response service. When you’re ready to rethink your network design and security service, call on our experts.