Network segmentation – improving information security by design
The days of flat networks are, for better or worse, over. No longer is it smart or even always possible for a business to ring-fence network nodes then allow traffic to flow freely between them, scanning the outside alone for threats.
There are a number of reasons for this change:
One is the influence of trends like cloud computing and bring your own device (BYOD), which have made network perimeters necessarily fluid and sometimes hard to even map out.
Another is a growing awareness of insider attacks – whether rogue employees, misuse of stolen user credentials or exploitation of privileged administrator access tools.
Finally, there’s the regulatory angle. Network segmentation in which infrastructure is divided into discrete areas to prevent unauthorized data flows comes widely recommended in mandates. For example, in PCI DSS it offers a means of reducing the scope of the environment in which credit and debit card numbers are processed.
Earlier this year, the UK Information Commissioner’s Office (ICO) published a list of the most common ways organizations breach the Data Protection Act. One of them was “poorly designed networks processing data in inappropriate areas,” indicating many businesses in the country still struggle to achieve effective segmentation and incur costly penalties as a result. Bear in mind the Data Protection Act is the UK’s implementation of the EU Data Protection Directive, meaning many of its principles are transferable to the European region at large.
Could your company be among them?
Several commentators have argued that the widely-publicized Target breach was largely attributable to poor network segmentation. A string of similar breaches in recent month indicates that the problem is widespread among organizations in the retail, financial services and other industries that handle sensitive customer data such as payment card details and personal information.
Consider the following points:
- Have you defined which items of data are sensitive? Good network segmentation means good information architecture, so before all else you need to draw a distinction between data that’s sensitive and data that isn’t. In the case of the former, you should then work to identify which members of staff require access, as well as how that access should be provisioned.
- Is it easy to manage access rights? There are a number of ways secure access can be achieved. One option could be to add firewall rules that erect barriers between certain servers and personnel. If these aren’t easy to manage there’s a good chance they’ll end up ineffective – you won’t get far with IP-based access controls in the era of BYOD. Similarly, if an employee moves to another department or leaves the company, is it easy to change the rules that apply to them? Role-based access controls would be one way to accomplish this, as long as it’s possible to overrule them in certain cases.
- Are you accounting for context before delegating access? Sometimes it’s not enough simply to ask who a user is and then unquestioningly provide them with unrestricted access to files. What if they’re using a high-risk device such as an unmanaged smartphone? What if the access request comes from a suspicious physical location, or in the middle of the night? In many cases, managing network segmentation judiciously requires assessing the context of a user’s request and then building access rules based on the scenario on the fly.
- Is every access attempt logged and reported? Finally, one of the most important steps you can take to prevent data falling into the wrong hands is to comprehensively audit all network activity. That way, if for whatever reason a user accesses a file they’re not authorized to, IT staff can be alerted immediately and lock the server down.