Security Think Tank: Benefits and challenges of security segmentation

Security incidents and breaches are all too common. Stats abound about the success of phishing campaigns, despite regular security awareness and education provided to end-users. Why does this matter? Because an attacker is highly likely to find a way into your organisation and your systems, potentially to access your data.

segmentation can help to address the adage that an attacker only needs to find one way inside the organisation. When such an event inevitably occurs, it is best to limit the attacker’s ability to “move laterally” or access separate, but connected systems, rather than being able to move to another easily-found environment.

To do this, there are various useful methods, including traditional network segmentation, default-deny (often referred to as zero trust ), risk-based access management, adaptive controls, and even disconnection. Essentially, segmentation is about segregating environments to minimise the opportunities for a security incident or breach to take place. The better the segmentation, the more barriers an attacker will face as they try to move around an organisation’s systems and data.

Segmentation can also help to protect fluid applications and workloads. Cloud computing has become a part of the everyday world for most enterprises. Server workloads and applications often run in cloud environments that change frequently. Techniques such as micro-segmentation can be applied automatically, not only providing the necessary security controls in virtual environments, but also letting the business continue with its processes unhindered by visible security controls.

Compliance is another area where segmentation can help. Network segmentation is a requirement in a number of regulations, the intention being that data is more difficult for an attacker to find and access. There are also emerging risks to consider, such as the tens of billions of IoT [internet of things] devices that will be connected in the next few years. An organisation can use segmentation to isolate and separate these devices, and so limit the risk exposure.

But of course, little in the world of security is easy. As such, there are a number of challenges to consider and overcome to successfully apply segmentation.

The first challenge is performance. As might be expected, the increased segregation of IT systems can create performance bottlenecks. There are also issues around network architecture, as many legacy enterprise networks are “flat” networks not designed for security.

When an organisation deploys segmentation for the first time, significant architectural and topology changes are required, which can be costly and disruptive. The security workforce challenges are well documented and also apply here – it is difficult for an organisation to find staff with the necessary skills and expertise for segmentation. Another challenge is that purpose-specific products are often necessary for segmentation, which can be costly and add to the already-too-big enterprise security portfolio.

There are a number of approaches that an organisation can adopt to overcome some of these challenges. These include establishing a default-deny mindset, working toward a policy in which access is granted on a must-have basis in real time. This uses many of the principles established in the zero trust model.

Also, a strong dose of realism is essential. Few organisations have the luxury of security segmentation in a greenfield environment. Recognise that not all risks can be mitigated straight away.

With any project, demonstrating a quick win can prove the benefits early and pave the way for extended adoption. Start with something “easy”, such as a guest network with limited access privileges.

Finally, align with organisational priorities. Organisational governance should drive security governance, and an understanding of key strategic priorities and upcoming projects will allow the security function to insert segregation principles and controls during the design phase, positioning it as a mechanism to limit business risk.