Segmentation – The Last Line of Security
This is the first post in a weekly, ongoing, deep dive series into the subject of segmentation. Each post will be written by a member of Arraya’s technical or tactical teams, focusing on a specific piece of this extremely broad, highly transformational topic.
When I was in college, downloading free music from Napster was the thing to do. Like most other kids my age, I didn’t have any money. Napster seemed a good way to build my music library on the cheap. At the time, no one had defined the legality of it so we didn’t feel bad about doing it. Then the recording industry got involved and suddenly downloading your favorite music became harder because Napster was no longer available. I got around this by pulling songs from other computers on the network. So long as I could connect to other folders on the local campus LAN, just about all the music I wanted was accessible.
Looking back twenty years ago, I cringe at the thought of what was going on. Networks were completely flat and everything on the LAN was accessible. At the time, the threat was much different too (for the record, I was also a lot thinner). Now, we have to be smarter about the way we design our networks. Segmenting systems where availability is critical or the data is sensitive can be the difference between a routine malware detection and a full disaster recovery situation. Segmentation isolates systems and data. It’s akin to the main safe within a bank. You may get into the bank through the front doors, but the safe adds another layer of protection for the money. Segmenting your network is the same thing. You’re putting access control on the inside of your network to protect the most sensitive areas even if the bad guys get an initial foothold. This can also be a way to simplify your compliance and auditing efforts. If you can isolate the systems auditors are assessing via segmentation, you only have to apply those controls to the segmented area. This can make passing regulatory audits a breeze!
It’s All About Classification
Like most security initiatives, most organizations have a misconception that this is a purely technical task. Sure, tasks like putting servers in a DMZ or segmenting a data center fit that bill. However, where you really get the best bang for your buck is by identifying systems that would cause the greatest danger if compromised or taken offline. This requires us technical folks to do something we hate – talk to our business owners. We need to find out from them what’s most important to safeguard. Most IT departments simply don’t have the bandwidth or the budget to segment everything. So you have to pick and choose the right systems.
Common Segmentation Examples
I couldn’t possibly name every segmentation opportunity out there, but here are a couple common examples and good places to start:
- Credit Cards – If you’re processing, storing, or transmitting credit card data, then segmenting any of the systems in scope is the easiest and most efficient way to pass a PCI compliance audit. It’s also a good way to protect the data from getting into the wrong hands. This includes card readers, PCs, and servers that are involved in the payment card process.
- Health Records – For companies processing personal health records, segmentation is a must. These organizations are processing some of the most sensitive data a person can provide. Clinical records should be segmented from the rest of the population and only made accessible to the people who need access. This includes organizations with access to medical insurance records. Getting access to insurance claims and reports can provide some of the same data as the medical record itself.
- Industrial Control Systems – It’s most common to see segmentation here. Separating energy, water, chemical, or manufacturing systems from the rest of the corporate environment protects systems that have to be up and running 100% of the time in the event an attacker compromises a standard user.
- Financial Systems – Systems that process personal data or financial transactions often get segmented due to the sensitivity of the data. Nobody wants to be on the news for losing a million social security numbers and birth dates. Most financial organizations try to separate the systems that process this type of data to keep it safe. It also makes compliance a much easier task.
There are Lots of Options
There’s no one way to segment. Some companies like to completely air gap their systems on totally separate infrastructure. Some companies like to put firewalls between systems. Other organizations do it with software and logically using network management tools. I’m not advocating for one method over the other, but I do think this is an important step toward building a true defense-in-depth approach to security. If you look back at the WannaCry and Petya attacks, a little segmentation would’ve gone a long way in preventing them from spreading the way they did (so would some basic patching – but that’s a topic for a whole different blog).
To learn more about segmentation and its role in today’s IT landscape, reach out to our team of experts by visiting: https://www.arrayasolutions.com/contact-us/.