Network segmentation – best practice in the age of cyberthreats
With Internet of Things (IoT) devices becoming more prolific across Australian facilities, network segmentation may be critical to defending against cyberattacks.
Cyberthreats have risen at an unprecedented scale as they grow more complex and aggressive. Increasingly, they are evading traditional and siloed security systems, moving laterally across flat networks to gain access to sensitive data and applications. With IoT devices becoming more prolific – it’s predicted 5.8 billion devices will be in use by the end of 2020 – new security defences must be a priority for facility managers wanting to make use of such technology.
According to cybersecurity company Forescout, network segmentation is emerging as the best practice for securing IoT and operational technology (OT) systems against such threats.
“With the right tools and technologies, organisations can implement an effective network segmentation architecture that makes intelligent zoning a reality by grouping users and device types by business context and limiting network access to those resources required to do their jobs,” says Steve Hunter, senior director, systems engineering, Asia Pacific and Japan.
Hunter believes there are still three major challenges many organisations need to overcome before network segmentation becomes a viable option:
Lack of confidence
Hunter believes many organisations are in the early stages of segmentation projects, but that progressing to a mature, enterprise-wide segmentation strategy is a completely unique challenge. Network architects and operations teams are struggling to catch up with emerging information technology and software adoption such as the IoT, cloud, software-defined networking and digital transformation. These teams may have differing agendas and are often distributed across multiple geographies. Given the tasks at hand and resource constraints, many segmentation projects become stuck in the early stages of planning.
Lack of skills, resources and tools
Implementation delays, business disruptions and operational costs are the direct result of a lack of skills and proper tools. Often, segmentation projects fail to meet expectations due to a lack of contextual understanding of the environment, which leads to a collective inability to define and build the right business logic behind segmentation rules. Conventional segmentation solutions tend to be labour-intensive, as they require manual analysis of traffic flows and logs to understand traffic dependencies. All too often, disparate teams try to build segmentation policies and map those policies to their siloed environments, which increases the likelihood of human error, inconsistent segmentation policies and business disruption. This can also result in months spent identifying policy anomalies and validating segmentation hygiene in the environment.
Multivendor and multidomain environment complexity
Traditional segmentation is difficult enough when a network is basic, but most segmentation takes place in complex, multivendor/multidomain enterprise environments, which means that implementation becomes a massive undertaking. In these circumstances, using traditional approaches such as virtual local area networks (VLANs), access control lists (ACLs), next-generation firewalls and agent overlays typically results in siloed segmentation rules that aren’t dynamic or granular enough to effectively reduce risk across campus, data centre, cloud and OT environments.
“There is no one-size-fits-all solution to network segmentation,” says Hunter.
“All segmentation tools have specific strengths, use cases and areas on the network where they will be best deployed. However, with the right platform, organisations can bridge these disparate technologies to accelerate the design, planning and deployment of dynamic network segmentation across the extended enterprise to reduce regulatory risk and limit the attack surface.
“Enterprise-wide segmentation requires a context-driven, multilayered architecture to address today’s broad diversity of device type regardless of where they connect to the network so that they can apply a dynamic zero trust approach across all environments and to all devices, with different policies for the computer at the front desk versus the CEO’s laptop. When devices step outside of those policies or normal patterns of behaviour it will be flagged. It also lets organisations test those policies before they are put into action, meaning more effectiveness and less business disruption. This gives organisations the ability to stop lateral threat movements in their tracks in a way that’s built around an open, heterogenous network environment.”
For more information on Forescout, click here.
Image: Joshua Sortino via Unsplash.com