Network access points have greatly expanded today with more remote workers, online services, and cloud applications. And while these advances are making virtual business interactions possible, today’s hybrid and multi-cloud IT environments are increasing the attack surface for bad actors. As a result, security protections must tighten, and many executives are turning to SASE strategies, Zero Trust security architectures, and network segmentation as proven approaches to reduce the risk of remote work. As IT leaders create more elaborate IT environments, the secret to success is to achieve the right amount of segmentation while not compounding management complexities.
Network segmentation is the practice of splitting a network into segments or subnetworks. These isolated zones are Layer 3 virtual networks with distinct benefits. With fewer hosts, local traffic is minimized. Subnets help isolate traffic, group similar traffic types, and separate traffic according to user groups, application, and information sensitivity. Physical or virtual appliances can then be used to enforce these segments using firewalls and virtual routing tables. Segmentation is a central practice for Zero Trust security strategies and a core element used in Zero Trust Network Access, as well as SASE frameworks.
After an initial network infiltration has occurred, the situation can quickly go from bad to worse as hackers progressively move toward high-value information. Segmentation creates “walls” that can help limit that progression as it compartmentalizes the IT infrastructure into distinct isolated zones for more effective data safeguarding. Creating layers of protection with incremental gates, these zones help limit the attack surface for hackers and strengthen the enterprise security posture. As one of the strongest security strategies, segmentation improves:
Many factors in the world today are increasing the need for highly segmented environments.
Rises in Ransomware, Data Breaches and Cybersecurity Threats: With 64% of companies having experienced some kind of cyber attack, the advancing threat landscape is forcing executives to focus on proven security tactics and reach for every strategy in the security toolbox.
Business and IT Trends: Remote work and emerging technologies are also big drivers. Today, slicing is being used especially for 5G networks, so one network can be used to safely serve multiple business purposes. Cloud migration and the rising demands of more cloud applications and services call for more segmentation. IoT, remote work, and the proliferation of devices expanding the network edge, including bring-your-own-device policies are factors. Guest Wi-Fi often calls for guests and known users to be divided. Even everyday business activities may need to be segmented for safety.
Government Regulations and Compliance Requirements: Both new and existing regulations, including payment card industry standards, trigger leaders to segment networks.
Although every enterprise will take their own approach for designing segmentation policies, these lists serve as samples for both basic and advanced network segmentation. Remember, there’s no perfect number of network segments–it’s best to let your business needs lead the way. On average, however, Masergy’s clients have six distinct network segments.
Basic Network Segmentation
Most network architects focus on the larger network zones as a good first step. These include:
Advanced Network Segmentation
More advanced, micro-segmentation approaches would include the list above and then add to it with segments such as:
Segmentation is known to cause complexity in the IT environment, creating operational and logistical barriers. These three challenges are common:
Technology Limitations: Rigid legacy network systems and multiple technology stacks create interoperability issues, making it difficult to manage a variety of segmented environments, gain clear visibility across all, and facilitate security monitoring
Poor Management: Segmentation is inadequately documented and not managed from a central place or repository
Operational Misalignment: The network segmentation strategy is designed without consideration for security operations, which can cause friction among NOC and SOC teams.
With the right strategies and tools, IT leaders can achieve an optimal amount of network division without creating management headaches for employees.
Segmentation Principles: Three Things to Consider
Masergy unites all of these capabilities into an SD-WAN solution, providing segmentation capabilities at no additional charge and exporting security monitoring data from segmented networks into a comprehensive managed detection and response service. When you’re ready to rethink your network design and security service, call on our experts.
Security strategies from the past 20 years are no longer working. Zero Trust offers a more resilient security approach for today’s challenges.
Here we explore the SASE plans companies are making and the difficult questions they address along the way.
CASB is essential in a world where the cloud and remote work dominate. Here we examine use cases for it and how it fits into the SASE model.