Many businesses have been trying to carry out network segmentation for years – and yet often it ends up on the back burner. It is not difficult to understand why. Most enterprises want to segment their networks but are deterred by how complicated the process appears, writes Ade Omotomilola, Head of Services, at the network services firm Axial Systems.
Often, they are good at having certain functions locked down and isolated, but these functions are typically limited in scope. Implementing segmentation more widely across the network is difficult. It is extremely complex, for example, simply to try to understand how everything is connecting across the infrastructure; where the trust relationships lie, how different business units interact and how various parts of the network are intertwined with others.
Yet, at the most standard security level, being able to segment the network is critically important. By splitting the network into smaller sub-segments and ensuring that different sections don’t connect unless absolutely necessary, businesses reduce the likely impact of any security breach. Segmentation is also important from an operational efficiency perspective, as it helps ensure that business units and systems are working together in ways that they should be working.
Keeping pace
One of the biggest challenges organisations face is keeping pace with the rapid growth of their network infrastructure and being able to monitor that growth. Most businesses have complex heterogenous networks in place. There is often little consistency or integration between different elements. Many corporate networks have grown organically over recent years at lightning speeds. As such, they frequently have leftover legacy systems running alongside – and often entwined with – dynamic forward-thinking systems. The situation is complex enough when businesses have all their systems located on premise and they effectively plug in new functionality over time. Today, however, with the ongoing migration to the cloud, networks are becoming even more complex and interconnected. Businesses may have private, public or hybrid cloud infrastructures in place – or a combination of all three. They may have started to implement a containerised environment to run large distributed applications while keeping overheads down. They may even have begun to install multilayer networks to help overcome data transfer issues.
From the network security perspective, this tangled web of systems and solutions effectively amounts to a major headache and a significant challenge to overcome.
Finding an answer
Security teams should first be focusing on how everything is connected and why it is talking to each other as well as when and why certain connections were created and what is the rationale for them. Given the complex history outlined above, this is not easy to do. There might well be a good reason that certain systems are linked, which on paper should not be, but it may be difficult to establish the exact rationale. So, what is the solution? The latest security tools can play a key role, effectively mapping networks from a visual point of view and thereby giving businesses a clear, and up-to-date understanding of their infrastructure, how its trust relationships work, and its potential security flaws.
Micro-segmentation is then critical to properly control traffic flows within the environment and reduce the potential attack footprint by ensuring only compliant flows are allowed and to contain threats in case of a breach. If a network is segmented down to the individual process level and communication is only between permitted systems (e.g. server A can talk to server B but no other), network operators can see that anything outside of that is a violation. This needs to be a consistent approach, of course, that covers the whole corporate network, and includes extending security groups into the cloud.
The next step is to apply a visual security delivery layer on top of these micro-segments and across the entire network. This will provide all inline tools with the ability to be fed data packets in real-time, to be stored for replay later or to be used in analytics engines. This, in turn, gives Security Operation Centres (SOCs) a better idea of how their security tools are performing.
Additional layers can then be applied on top to regulate access (for example, with privileged access management baked into all the endpoints). This gives network administrators, and security teams far more control as to what can talk to what when data is travelling laterally. It will also enable them to detect active breaches within the network and confine them to a secure location for accelerated mitigation and remediation.
It is imperative to have an early warning of the potential dangers across the whole of the estate. The latest solutions provide this via a ‘single pane of glass’, showing what is happening in real-time down to the process level. Embedding security into the network reduces operational overhead, increases visibility and helps generate meaningful intelligence around events on the network.
Overall, it is a compelling example of how network segmentation, backed by rigorous security policies and systems, can help keep even the most complex network infrastructures safe for enterprises.
