Security Is No “Fringe” Issue, or, the Case for Segmentation
We know that prevention is the best medicine when it comes to endpoint security. But with increasingly sophisticated, more targeted attacks, the days of thinking of security as any sort of external, endpoint-only affair are long gone. It's critical to protect all data from the inside, out.
While many IT teams maintain the data and systems security they "own," a core challenge is that they cannot control vendor-owned and -operated endpoints, or data and systems managed by other business units.
In our latest TrendWatch webinar, we discussed how network segmentation alleviates that pressure, while increasing security and visibility with little to no interruption.
Zero Trust: Segmentation for maximum verification
The Zero Trust model of information security is based on the onus to "never trust, always verify." This type of framework compartmentalizes, or segments, different parts of the network to protect data from being breached by malicious movement within the network.
Segmentation enables IT teams to enforce security across the network as traffic tries to reach endpoints. Following are some key principles:
- Secure access to resources. Users need secure access to the data they need, regardless of whether they are accessing it from a campus network, or remotely.
- Apply access restrictions on a "need-to-know" basis. Many devices and networks are needlessly connected. In a manufacturing setting, for example, critical business data may be accessible through third-party devices on the factory floor that have no need for it—and create a major vulnerability.
- Verify that users, apps and content are legitimate. Through segmentation, teams determine which users and devices should be given access to sensitive applications and data.
- Inspect and log. Security is no one-time-only business. The ability to review historic access and activity will enable your team to identify how long unusual activity has been happening, or when it first occurred.
Solution technologies are becoming more widely available. For example, Palo Alto Network's network segmentation platform includes GlobalProtect, which delivers secure IPsec and SSL VPN connectivity for users wherever they're located, along with App-ID, which accurately classifies traffic and impairs malware's ability to hide from detection. Cisco's TrustSec simplifies segmentation by tagging traffic based on roles as opposed to IP addresses or VLAN.
Like perimeter segmentation, but for all data traffic
Research from Arkin, now VMware vRealize Network Insights, found that only 20 percent of network traffic flows through the firewall. That leaves roughly 80 percent of internal traffic unsecured.
The good news is that, in theory, what you already do to protect the perimeter is similar to what must happen inside it. With segmentation, security teams can create "bulkheads" for the network, so that if one device is exposed, the leak stops there—and the rest of the boat can continue on unaffected.
For example, a healthcare organization saw a virus spread rapidly across its system after a user downloaded a virus that traveled through fileshares and opened a backdoor to sensitive organizational data. In that instance, removing each device from the Internet and cleaning it could not stop the fast-spreading attack. Segmentation could have contained the malware from the beginning.
Clear restrictions are key
With segmentation, security teams can make policy changes without having to redesign the network, ultimately helping limit the impact of a data breach while supporting visibility and BYOD.
When we become more organized about what's moving through the network, it becomes easier to secure. While other endpoint protection is still vital, segmentation lets you get in front of those systems for added visibility and security.