Maksim Kabakou - Fotolia

Security Think Tank: Effective IT segregation must involve the business

What are the security benefits and challenges of segregating IT environments, and how best are these challenges overcome?

Today, any CISO, or C-level executive for that matter, is worried about data within the enterprise and keeping that data in the enterprise.

In today’s borderless world, this is easier said than done. Each day brings a host of challenges – right from where, how and by whom the data is accessed, to how the data flows, why it flows and how to protect it irrespective of anything else in the equation.

Enterprises across the globe are beset with the same problems, irrespective of industry sector, size or any parameter, especially when it comes to data protection.

In its simplest form, data protection or information security is boiled down into ensuring the confidentiality, integrity and availability (CIA) of data. This can be challenging and typically requires focus on what I like to call the design principles of IT environments.

One of these principles is the segregation of IT environments. This covers not just physical segregation, but logical segregation as well.

Physical segregation is simply ensuring that nodes are physically segregated, either being on separate physical networks or using virtual separation.

It is, more often than not, easily circumvented by simple human error arising from a) a misconfiguration of networks giving unnecessary or excess access to someone or b) an attack from an insider. This insider may be motivated to cause harm or might be an innocent who decides to take a look at a shared resource visible over the network.

The second aspect springing from the same design principles is that of logical segregation. Logical segregation is about ensuring that data belonging to the human resources (HR) department, for example, is visible only to the HR department and whatever other department is necessary – such as the finance department for payroll processing or an external supplier for antecedent verification – so long as it has a legitimate business need to access the data.

This gives rise to the need for clarity on who needs access to what data, what level of access is required (read, write, edit, delete, for example), and why this access is required. There could be other parameters such as the duration of access, which may be configured into the equation. At minimum, access controls lists will need to be established with the concurrence of the data owner clarifying access requirements to the data.

So where does the challenge lie in ensuring that IT segregation, both physical and logical, is carried out as required in the enterprise? Some common challenges include:

  • Lack of clarity about who is responsible for this segregation – is it only the IT function or the business units which are responsible? Often, business units assume that IT is responsible for this segregation, yet only the business unit owner/data owner can provide insight on what data needs to be accessed by who and what controls are required. 

  • The absence of a unified IT landscape within the enterprise, making the implementation of a single technical or other solution nearly impossible. 

  • Poor visibility into network architecture, network complexity, number of connections, traffic volumes and the extent of interconnectivity. 

  • Absence of defined policies guiding implementation.

  • Non-availability of a risk based view of the landscape enabling informed decision-making.

So what can enterprises do to ensure that IT segregation is carried out effectively and remains relevant in the dynamic enterprise environment? Enterprises should ensure that all IT segregation efforts are backed with appropriate security policies based on the risk perception and threat profile.

Segregation should be supported by appropriate segregation of duties – in business terms, this is sometimes called the “maker-checker concept” – both within the IT function and in the rest of the organisation/business units.

This should be are carried out from a physical perspective, such as establishing zones (for example, trusted and untrusted). Zones should be established according to the risk profile and criticality of assets contained within the zones and appropriate access requirements within and between each security zone.

This involves maintaining accurate network diagrams and data flow charts, and implementing appropriate controls over wired and wireless networks.

Apart from the above, a whole host of tools may need to be used to further strengthen and ensure continued effectiveness of actions. These include the use of routers, firewalls, intrusion detection systems (IDS), intrusion prevention system (IPS), proxies, gateways, demilitarised zones, virtual private networks, virtual LAN log monitoring, network traffic inspecting systems and data loss prevention systems.

A key weapon on the logical segregation side is the use of access control lists, which should be based on the enterprise’s logical security policy identifying access rights and how these rights are administered. These policies and procedures should, at minimum, drive how users and devices are provided the access required and how access rights are updated based on changes.

A critical and most often forgotten aspect is the periodic review of access rights, which can further strengthen effective logical segregation. For IT segregation to work effectively, a holistic approach is required with the participation of IT and business functions driven by a risk-based approach, and configured based on the sensitivity of data.

Appropriate reviews and periodic audits should also be carried out with metrics used to provide early warning, ensuring effective implementation and timely corrective actions.

Read more on Hackers and cybercrime prevention

Data Center
Data Management