Setting Objectives and Having a Clear Roadmap is the Best Path to a Successful Network Segmentation Journey
Organizations have talked about segmentation for years as a strategy to improve overall security posture. While widely considered a security best practice, in today’s dynamic environments where the network perimeter is ever-evolving, segmentation can be challenging to implement, scale, and manage. A combination of new connected devices, changing business models, expectations for guest access, regulatory requirements, and evolving threats can make it a complex undertaking. Furthermore, you need a holistic approach that covers the campus, data center and cloud – anywhere an endpoint connects. Otherwise, you risk ending up with multiple segmentation strategies that compound complexity and may negatively impact security and user experience.
However, you shouldn’t let this reality prevent you from moving forward. As Henry Ford said, “Nothing is particularly hard if you divide it into small steps.” Coming from the person who transformed factory production and was a driving force behind the industrial revolution, this advice carries some weight. In that spirit, I want to share six steps to successful segmentation. Whether you have in-house staff who can drive your segmentation project or are considering third-party advisory services, these activities are critical to success.
In part one of this two-part article, I’ll cover proper planning and preparation. These activities will help ensure you create a segmentation strategy that is aligned with your business goals and drivers, and accurately defined to reduce security risk and strengthen security posture. With the right plan in place you’ll have a clear understanding of how you will accomplish your objectives and be better able to set expectations for the segmentation program.
1. Define Objectives. Setting objectives and laying out a clear roadmap is the best path to a successful segmentation journey. To do this, you need answers to critical questions, including:
• What business and security drivers are behind the segmentation initiative?
• What practices do you have in place to define asset classification?
• What assets are critical to your business?
• What threats are common in your business vertical?
• How are you leveraging technologies and processes to address those threats?
• Does your technology roadmap include an element of security?
• What are your top business priorities and how do they align with your current security initiatives?
• What are your pain points?
This information helps define the high-level strategy by gaining an understanding of business goals and drivers, critical business assets, known risks, and an overall understanding of the current enterprise security posture. This in turn helps you to determine next steps and priorities for reducing security risk and developing technology roadmaps.
2. Identify, Classify and Prioritize Assets. Working closely with key stakeholders, you’re now ready to define sets of assets and classify them by business impact, risk, function, and regulatory requirements. This classification is used to define security control capabilities and to help set priorities through clearly defined criteria. As examples, if a hospital considers radiology gear as a critical asset, then those devices should be identified and grouped with like devices. An insurance provider may consider all business services equally critical and group them together, but its corporate services may vary in criticality based on the impact on revenue-generating activities or compliance.
3. Gain Visibility to Support and Augment the Strategy. To validate your work from step two, you need visibility into actual traffic and devices to ensure you haven’t missed anything. This process includes considering the types of traffic of interest (North, South, East and West), all physical and virtual devices collecting traffic, where to gather data (WAN edge, Access Layer, Cloud), the best sources of data, and an analytics platform to monitor, analyze, and report on the information. With the right tools and processes you can identify actual devices within a segment and trusts or policy with other segments. This allows you to discover unknown devices and traffic patterns and is crucial in understanding if, how, and where you might need to adjust your strategy based on what is actually happening within your environment.
You’ve now done the critical work to develop a segmentation strategy that matches your needs. In part two of this article, I’ll discuss the final three steps which focus on implementation and ongoing operation of your segmentation program. Specifically, I’ll review how to develop, validate, and enforce policies that are as dynamic as your environment to enable effective protection for your critical assets.