Go Atomic or Go Home

Have you never heard the term ‘Atomic Segment’ used in security? Me neither. That is, until I came to Check Point. If you think about it, it makes a lot of sense. An atomic segment is a set of computing and networking elements that: (1) share a common security profile; (2) cannot further be subdivided into smaller segments; and (3) can be protected using a set of distinct policies that control all commands and communications between the segment and external entities. It is a critical area needing protection.

When we talk about protecting a network, you have to assume your security policies won’t catch everything. Whether a virus or hacker, once an intrusion appears inside most networks, they can roam free. Segmenting prevents this movement and protects different parts of your network. The atomic segments are those critical areas that govern specific functions where only a subset of users needs access.

So how do you know what is or is not an atomic segment? We pared it down to these basic questions. When looking at any set of elements:

  • Does this part of the network have boundaries with a distinct set of users?
  • Do they support the same set of business processes vs. being for general use?
  • Do they handle similar assets?
  • Do they receive the same level of security protections?

If you have answered “yes” to all of these questions, then bind these entities within a single atomic segment. If you answered “no” to at least one question, then segment separately at least some parts the entities. Examples of an atomic segment might include a single device on which you install security software, or a number of hosts on a shared network protected by a security gateway, such as:

  • Public – systems and data that are cleared for access by the general public
  • Customer – systems and data that contain confidential customer information. Typically cleared for access by authenticated customers and a small number of internal users
  • Internal – may be accessed by employees from anywhere
  • Sensitive – internal systems and data requiring enhanced protections
  • Departmental – restricted to selected individuals by departmental role

Defining atomic segments and identifying the entities that share a common security profile is the first step in implementing a true SDP (Software-defined Protection) architecture. Practice this discipline at the core of your network, and you will better protect your entire enterprise against threats, both internal and external. Get more information on protecting your network with SDP and get started today.