2020 was not a good year for cybersecurity. In the first half that year alone, ransomware (a special kind of malware) attacks increased by 715 percent from the prior year’s levels.
A global survey found that 57 percent of organizations experienced a phishing attack, up from 55 percent in 2019; while the average total cost of a data breach climbed to $3.86 million.
To mitigate the risks of such cyberattacks, enterprises need to do more. One tactic proven to help: implement network segmentation practices.
What are “network segments,” exactly, and how can a segmented network improve cybersecurity? Today’s post answers those questions. We’ll also unpack five network segmentation best practices to help you boost the security of your enterprise network.
What Is Network Segmentation?
Network segmentation divides an enterprise network into smaller segments or sub-networks, with limited inter-connectivity among them.
Segmenting networks gives administrators better control over network traffic as that traffic flows from one segment to the next, and improves your ability to prevent unauthorized users from accessing the organization’s devices, applications, and data.
And if a data breach does happen — which, let’s not delude ourselves, can always happen — network segmentation assures that the breach only affects that targeted segment. The other network segments remain protected from further damage.
How Can Network Segmentation Improve Security?
In the enterprise network, firewalls and other protective mechanisms cannot always block or detect threats within the organization’s network. Segmentation, however, can prevent more cyberattacks, reduce damage, and improve overall network performance.
One reason is that segmenting improves access control, so that only authorized users with specific privileges can access each segment.
This means that even if an attacker does gain access to one segment, he or she won’t be able to access the rest of the network; the attacker can only move around within whatever segment the stolen access credentials allow. This helps to minimize damage and prevents the network from failing in its entirety.
By implementing network segmentation best practices, you also get better visibility into and control over network traffic, so you can minimize any threats to your systems — both external and internal.
Remember, securing the computer network from internal threats is now just as important as securing it from external threats. This is because the earlier “trust assumption” — where insiders were assumed to be trustworthy and not a threat — has now eroded.
Perhaps the insiders have ill intent; perhaps they’re unwitting dupes in a criminal scheme; perhaps attackers have stolen their credentials to impersonate the insider. Regardless, the insider can be a source of data breaches just as much as an outsider.
This is why adopting Zero Trust Architecture (ZTA) is essential, and network segmentation is one part of the ZTA approach. You can create a micro perimeter around your most critical assets to protect them from unauthorized users and bad actors.
Other Benefits of Network Segmentation
Segmented architecture also helps to simplify firewall security policies. By using a consolidated policy for subnet access control (as well as threat detection and mitigation) you can further reduce your attack surface.
Micro-segmentation (implemented through software-defined networking) can also allow you to implement more granular security policies to meet your organization’s specific cyber-defense needs.
One more benefit: segmenting reduces the costs of regulatory compliance by limiting the number of systems that might fall within scope of a compliance audit.
How Can You Segment a Network?
Network segmentation can be implemented as either logical or physical segmentation. Physical segmentation involves segmenting a larger network into smaller segments using physical or virtual firewalls.
Logical segmentation creates subnets, either with Virtual Local Area Networks (VLANs) or network addressing schemes. It requires no wiring or the physical movement of components, making it more flexible and automation-friendly.
Network segmentation can be done through firewall segmentation at specific network boundaries. The firewall provides visibility into network traffic and can be set to allow/block various kinds of traffic, applications, and users.
If your organization is aiming for PCI-DSS compliance, consider PCI DSS network segmentation to isolate and protect credit card data from other computing processes.
Five Network Segmentation Best Practices
-
Understand who accesses what.
Proper network segmentation starts by first knowing who can access the network, as well as who should access which parts of the network — and that might not always be the same group of people.
By defining access needs clearly, you can assure that no issues might arise later that could require a costly and time-consuming re-architecture of the segmentation process.
-
Avoid under or over-segmentation.
One of the most important network segmentation best practices: create the right number of segments to balance security with complexity.
Too many segments will make it harder to control and manage the network. Too few will weaken the network’s security profile.
-
Restrict and control third-party access.
Bad actors can attack your enterprise network or data center through your third-party vendors or suppliers.
The risk of third-party data breaches is not only on the rise; it can also cost organizations about $370,000 more than if a third party was not involved. That’s why restricting third-party access to your critical systems and sensitive data is so important.
Creating separate portals to serve each vendor will isolate and limit an attack even if it happens.
-
Consolidate similar network resources.
Combining similar network resources into individual databases is another network segmentation best practice to follow. With such a tactic you can quickly implement security policies, and assure that business-critical data remains isolated and protected.
-
Perform network audits.
Regular and comprehensive network audits, with risk assessments and penetration testing, are critical to staying ahead of bad actors trying to exploit your enterprise network in many different ways.
By auditing the network, you can find exploitable gaps and take action to close them, before a bad actor has a chance to slip in and cause damage. Audits will also reveal if your previous network segmentation plan is outdated or irrelevant.
How ZenGRC Can Supplement Network Segmentation
The modern cyber threat landscape is teeming with bad actors looking for ways to attack your enterprise network. To stay ahead of them, you must take action today.
Protect your network, vulnerable devices, endpoints, and data with a robust network segmentation strategy. And get it right by adhering to the network segmentation best practices covered in this article.
You can strengthen your organization’s security posture, but this requires taking action — sooner rather than later.
Implementing a robust cybersecurity strategy can be a daunting task, particularly if your organization is responsible for adhering to cybersecurity compliance frameworks.
ZenGRC can supply your compliance and cybersecurity teams with a centralized, integrated dashboard that identifies risk across your entire organization.
ZenGRC simplifies risk management and provides complete views of your control environments, easy access to your documentation at audit time, and continuous monitoring of your security stance over time.
To learn more about ZenGRC and how it can support your compliance and network security efforts, contact us now for a free demo.