Legitimate users have reasons for accessing data on your corporate networks. Employees need to get their work done, customers need to research your offerings and interact with your brand, and partners need to share relevant data so they can work efficiently with your organization. Not everyone needs access to all your data, however. And that’s the key to network segmentation.
The first step in implementing network segmentation is identifying the assets and data that are critical to running your business and then isolating them on separate networks so only people with the correct authority, and best intentions, can access them. By properly segregating the networks, you are essentially minimizing the level of access to sensitive information for those applications, servers, and people who don’t need it.
This is such an obvious vulnerability that it is amazing, if not disturbing how many organizations ignore it. The much reported hack of a large retailer, for example, was made possible because HVAC contractors had access to the same network within the retailer’s environment that contained its point-of-sale systems.
In conjunction with segregating front-end customer focused networks from back-end critical networks, you need to critically review who needs to have access to which networks.
A useful rule of thumb in network segmentation is the “Rule of Least Privileged” which stipulates only giving a user privileges essential to that user’s work. Organizations that apply this rule diligently, stand a better chance of keeping their brand off the walk of shame on national news for losing customer data.
A good approach to authorizing users access to specific systems is to deny privileges unless there is a specific need for access. It may even be appropriate to block users from whole geographic regions from access to specific networks. When in doubt, deny access until convinced otherwise.
Network segmentation is a simple concept, but it would be misleading not to acknowledge that accomplishing it often involves dozens of firewalls, switches and routers and hundreds of security rules. It can be overwhelming for an IT department, even with a well-staffed network team, to segregate networks effectively while they are focusing on upgrading, patching and putting out fires.
Don’t put off closing these vulnerabilities until it’s too late, however. A security breach can start fires in your IT environment that will burn your organization all the way to the Wall Street Journal.
Next up in our Security Series: “Arming Your Network as the First Line of Defense.”