Segmentation – the Simplest Security Policy Most People Miss

In our 2014 Security Report, we highlighted a quote from Bill Cheswick, a world-renowned computer security expert, who in 1990 talked about first-generation network security focusing on perimeter protection. He called this simple perimeter security concept ‘a sort of crunchy shell around a soft, chewy center.’

The idea used to be that an organization’s internal network was “trusted,” whereas the external Internet was “untrusted.” Early firewalls permitted outbound connections (from trusted to untrusted), but prevent inbound connections. Next generation firewalls extend this framework by adding an Intrusion Prevention System (IPS) and user and application awareness capabilities to provide more granular control of outbound and inbound network traffic.

So: where exactly is the perimeter?  Today’s enterprise information systems have multiple physical sites and network environments and provide services not only to internal users, but also to business partners, customers and the general public. Corporate assets rely on different types of computing resources, ranging from mainframe computers to employees’ mobile devices.

The perimeter continues to blur and expand.  Smart organizations are abandoning the idea of a trusted internal network because they are asking the question, what is internal? Motivated attackers can use physical access, social engineering, compromises within the hardware and software supply chains, or zero-day exploits that eventually breach corporate defensive mechanisms. Internal security controls need to provide visibility and protection over interactions within the enterprise network.

Segmentation is critical for the survival of an organization under attack. Similar to the concept of ships using sealed watertight compartments to remain afloat when attacked, large organizations should identify the various segments of their network.  This is especially true for parts of the network needing different security characteristics – like your internal engineering development network vs. your ERP and CRM networks or your customer facing network.

Segmentation allows for insertion of enforcement points between unrelated, or barely related, elements of your network.  You really should ensure only authorized users have access to parts of your internal network, but have you?

Learn more about best practices in segmenting your network with this video:  Segmentation is the New Network Perimeter.