Preventing a Stalled Network Segmentation Project
As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Ido Daniel of Forescout charges up a step-by-step guide to prevent your network segmentation project from stalling.
In healthy relationships, we avoid making assumptions about a situation until we know all the facts and establish where miscommunications may have begun. This same mindset should be applied when evaluating the success of your organization’s network segmentation project.
It’s an unfortunately common practice for organizations to assume their assets and networks are fully separated when they are not. A variety of factors tend to complicate this assumption, including the disintegration of network perimeters due to remote work’s pervasiveness and the growing number and diversity of connected IoT and OT assets. The attack surface, thus, is constantly expanding and poses a more significant challenge to properly segment and monitor networks. As we see evolving risk threats and more complexity in our networks and how assets communicate within them, proper network segmentation is vital. However, organizations need to be aware of the nuances and what to avoid so that they don’t start something they won’t be equipped to finish.
Reasons for Stalled Network Segmentation Projects: What to Avoid
Managing network segmentation projects is kind of like going camping. The way you pack and prepare will be reflective of where you are headed. After all, you wouldn’t pack beach clothes for a trip to the mountains, would you?
One of the main reasons that network segmentation projects stall is because there is a strategic misalignment in how to manage the new network environment. Properly segmenting networks requires a different type of thought process, and too often, teams try to manage their new network segmentation projects the same way they would their original network environment. Taking a flat and static environment and segmenting it requires a thorough understanding of how to manage everything categorically. Once this mindset changes, enforcing network segmentation security and policy, and aligning it with current policies, will be more efficient and accurate.
Another common oversight that causes stalled network segmentation projects is forgetting to align goals and objectives between different security and business teams. Network segmentation is usually put into place by IT teams, whereas CISOs typically create the policies that the project will follow. On top of this, there are the business managers who work to prioritize and allocate company resources. All of these departments make decisions from different perspectives though they all want what is best for the company. Once security and business teams are on the same page with goals, they can collaborate more productively and begin strategizing for the network segmentation plan.
Best Practices for Smoother Segmentation
Companies wishing to start network segmentation projects must consider the day-to-day business impacts that undertaking a network segmentation project can have, alongside the advantages it can generate over time. The short-term impact of network segmentation may cause a few workflow disruptions at first, but it makes things easier to monitor and more efficient to secure in the long term. Your networks will have more narrow attack surfaces, more effective policy organizations, and overall, more consistent performance with fewer disruptions.
Here are five best practices to keep in mind when preparing for and to implement your network segmentation project:
- Gain Complete Visibility of All Connected Assets and Map How They Communicate. Only after seeing all of your assets – including how they communicate, their business criticality, risk level, and compliance status – should your company determine how it wants to segment its network and choose policies. Having complete visibility of all assets allows you to classify them in business contexts and group them into business hierarchies that are unique to your own company. With a full picture of all connected assets in your network, you can map traffic flows among users, services, applications, and other assets into a matrix. This enables your team to see how those connected assets are currently interacting versus how they should be interacting. Your team will then have sufficient background insight to filter and group assets accordingly to facilitate an easier policy design process.
- Simulate the Impact of Network Segmentation Policies Before Policy Implementation. As your team begins to pick and choose policies, it’s imperative that you first determine how each of your options will impact traffic flows and integrate with other technologies already being utilized by your company, such as those in on-premise networks and in the cloud, through policy simulation. A traffic matrix becomes useful here because you can identify where you have policies in place, their compliance levels, and if they overlap or conflict with one another. It can also flag where unwanted policy violations would occur based on new policies so you can fine-tune and validate them without causing actual harm before going live.
- Continuously Monitor for Policy Violations Once Implemented. With the rapid adoption of IoT devices, the refreshing of hardware, and mergers and acquisitions, your network segmentation design will continue to face dynamic conditions as your company evolves. Setting up a solution for continuous monitoring and alerting of policy violations will help ensure that what you segmented remains separated.
Within this stage, it is important for security teams to work together on the zero trust policy they will use on top of the network segmentation project. - Establish Controls to Enforce Policy Compliance When Violations Occur. If a policy violation occurs, enforcing segmentation can prove quite challenging because there are usually many overlapping multi-vendor technologies that need to be aligned to enforce compliance as well. This may include firewalls, access control lists (ACLs), SDN controllers, virtual LANs, and more– all of which have their own policies and controls and must be managed across infrastructure for the campus, data center, cloud, remote and other networks. To maintain segmentation hygiene and avoid policy sprawling, you need a unified framework-– that is, a single Policy Decision Point-– to orchestrate controls across the different security tools in your environment and enforce compliance with segmentation policies.
- Automate Security Processes to Accelerate the Segmentation Journey. Automation plays a key role in allowing your network to grow and evolve alongside your company while ensuring connected assets are secure and policies are applied to them quickly. For instance, leveraging automated, agentless asset discovery and mapping (from managed endpoints and servers to unmanaged IoT, OT, and specialized assets like medical devices) will accelerate the designing of your project and instill confidence in the approach you choose. Everything you need to analyze would be collected for you instead of spending hours on hours going through traffic logs. And assets that work similarly would be grouped together instead of relying on legacy or manual tools that don’t provide full visibility of all your assets and how they communicate.
Ultimately, network segmentation projects are no small task to take on, but they certainly don’t have to be overly complicated or costly to business operations. By aligning team mindsets from the beginning and following the best practices listed above, your company can streamline the design and implementation process and avoid stalling or restarting.