Segmenting your network is when you compartmentalize your networks in order to deliver specific security controls and services, and to manage network congestion. With the trend of ransomware attacks being more focused on disrupting business operations, it is critical that organizations separate their corporate business functions from their business critical operations, so if their corporate network is ever compromised, they are still able to continue operating. This tactic is also known as creating virtual local area networks (VLAN), when done through switches and firewalls versus physical cables.
Network segmentation not only protects from widespread cyberattacks, it provides an organization with control and visibility. Segmenting limits access to data and other assets to an as needed basis, both internally and externally. By reducing the number of users in each segment, network performance also improves.
Network Segmentation Best Practices
1. Define Framework/Roadmap. Include all stakeholders in planning and center around business and security objectives, with top priority on the most critical security needs.
2. Identification and Visibility. Gain full network visibility and then use that to identify how all critical business applications communicate. This is called Application Dependency Mapping and is a crucial step in restricting lateral movement within a network.
3. Isolation. After segments within the network are identified, isolate and test to ensure proper segmentation.
4. Policy Enforcement. Enforce network segmentation at every layer of your network through software-defined access technology or more traditional approaches like internal firewalls, Virtual Local Area Network (VLAN), or Access Control List (ACL).
5. Do Not Over-Segment. Determine the best balance between meeting security needs and not impeding business effectiveness and efficiency.
6. Keep Scalability in Mind. When creating your roadmap and policies, remember to factor in growth so that your segmentation solution can be scaled and managed as the company grows.
In the event that a company does get attacked, having your network segmented will be helpful in the recovery process, as it hopefully limits the scope of attack to just a portion of network infrastructure. Without a segmented network, the smallest of breaches can turn into a massive incident that can have huge financial impacts, potentially company-ending.