From security conferences to post-breach remediation documents, network segmentation is the most highly mentioned security topic since next-generation anti-virus software. That’s for good reason. Many recent high-profile security breaches might have been prevented had the victim employed network segmentation to limit the reach of attackers once they established an initial foothold on the network.
However, many organizations do not know where or how to start when faced with a mandate to implement this technology. In my work at CDW, I often meet with clients who are struggling to begin their network segmentation projects, and I’ve found a few common best practices that can help organizations get a head start. Here are three steps every organization should consider before starting a segmentation project.
1. Build a Detailed Roadmap
Organizations that have had success with network segmentation often started their projects by building a detailed roadmap based on business and security objectives. This roadmap, developed in combination with every team that has a stake in the project, sets the correct expectations and direction from top executives to the people who will use and manage the solution.
An organization’s network segmentation roadmap for improving network resilience and defense should take into consideration both the access and data center network. The roadmap should also ensure that the most critical security needs are taken into account first.
2. Map Application Dependencies
Network segmentation by itself is a great technology, but if your organization does not know how your applications communicate with your endpoints, then you risk having wild-card any/any rules at your control points, which reduces the solution’s effectiveness and usefulness.
Many solutions on the market can help organizations determine the necessary rules to protect critical resources. Some of the most common solutions for application dependency mapping are Cisco Tetration and Stealthwatch. Several open-source tools can also assist you with application dependency mapping.
3. Don’t Over-Segment Your Network
Network segmentation projects walk a fine line between too much and too little segmentation. Organizations generally cross this line when they fail to consider their expected growth over the next three to five years. Not factoring growth into the roadmap can lead organizations to create policies that initially work but eventually lead to unmanageable complexity. Network segmentation solutions must be scalable and manageable when future growth policies are included in the planning.
It’s often difficult to find the line between an under-segmented network and an over-segmented one. The best way to evaluate your current status is to monitor user activity. If users are struggling to get their jobs done due to problems accessing servers, printers or other networked resources, you’re probably over-segmented.
Organizations that follow these steps should find an easier path to establishing the segmented environment they need to protect their data and resources and prevent costly breaches.