Network segmentation is the practice of subdividing a network into functional domains and limiting the communications between those domains.
For example, an enterprise might create separate segments for accounting, HR, product development, manufacturing, customer service, marketing, sales and building automation. No part of the network is exempt. Segmentation works for cloud computing, as well as SaaS applications.
Communication between the segments is controlled at specific locations where security practices can keep the network safe. Network security teams can use tools like deep packet inspection with intrusion detection, intrusion protection and firewalling.
What is microsegmentation?
Microsegmentation takes network segmentation to the next level by enforcing policies on a more granular basis, such as by application or device. Microsegmentation can incorporate role-based access control based on an endpoint’s role and access policies. An IoT device wouldn’t be able to communicate with anything but its application server, not even another IoT device. A data entry person in accounting wouldn’t be able to perform other accounting functions or access nonaccounting systems.
In these examples, an endpoint can be an application server, a user with a computing resource or a digital automaton that performs some action. An RFID reader that updates an inventory database at a loading dock represents such a device. A chatbot is a digital entity that accesses customer order databases to satisfy a customer’s query. Neither example endpoint should be able to access systems other than those it was designed to use.
Microsegmentation divides workloads into individual segments, enabling network security teams to enforce more granular policies.
The benefits of network segmentation
The primary benefit of network segmentation is it limits the damage from a cybersecurity attack. On the monitoring front, security systems can provide alerts when an unauthorized endpoint tries to access the system, identifying bad actors who are attempting lateral spread.
The primary benefit of network segmentation is it limits the damage from a cybersecurity attack.
Segmentation can also reduce the scope of regulatory compliance, like the Payment Card Industry Data Security Standard. Audits only need to involve the part of the network that processes and stores payment card information. Of course, such audits should validate proper segmentation practices.
Network segmentation best practices
So, what are some strategies network teams can follow when segmenting their networks?
Create security policies and identify resources
To implement network segmentation, network teams should start by creating security policies for each type of data and asset they need to protect. The policies should identify each resource, the users and systems that access it, and the type of access that should be provided.
Use allowlists
Next, teams should implement allowlist access controls. This practice significantly improves network security. Teams need to identify the application data flows for each application to make this work. While this process can take a significant amount of work, it is well worth the time and effort when compared with the cost of a cybersecurity event.
Technologies to implement network segmentation
Network segmentation can be based on physical separation, logical separation or both, depending on the specific instance. Firewalls, access control lists (ACLs) and virtual LANs (VLANs) provide the basic segmentation functionality.
The next step adds virtual routing and forwarding (VRF) to segment routing information. An advanced implementation would implement a full multi-tenant system based on software-defined technologies that combine firewalls, ACLs, VLANs and VRF.
Software-defined access
Software-defined access (SD-access) identifies endpoints and assigns them to the proper network segments, regardless of where they physically connect into the network. SD-access tags packets to identify the segment to which they belong. Tagging makes it efficient for the network to apply the proper policy to network flows.
Physical separation
Network teams should use physical separation, such as separate firewalls, when they need to reduce the complexity of firewall rules. Mixing the firewall rules for a large number of applications in one firewall can become impossible to maintain. Complex rule sets rarely have rules removed because the resulting action is difficult to determine. Using separate firewalls based on VM implementations can greatly simplify each rule set, making it easier for teams to audit and remove old rules when requirements change.
Automation
Finally, teams can use automation to help maintain network security. Many of the security audit steps can and should be automated to ensure they are consistently applied. Tools based on software-defined technology can aid in automation.
46% of IT, security, and cybersecurity leaders say they still store passwords in shared office documents. That’s despite an overwhelming 93% of … See all articles in Insights
According to a new international study by cybersecurity company Surfshark, 74% of Canadians feel worried for their online safety. And only 38% believe … See all articles in Insights
Top executives and their families are increasingly being targeted on their personal devices and home networks, as sophisticated threat actors look … See all articles in Insights
Digital transformation is no longer a nice-to-have, it’s critical to the survival of your business. When the economy and business landscape is in a … See all articles in Insights
It’s news to no one that cyber attacks have increased in frequency, maturity and impact over the past few years and the threat landscape has grown … See all articles in Insights
The growing volume and value of cyber insurance claims is forcing providers to be more discerning in who they cover. Some companies will lose out. The … See all articles in Insights
This website uses cookies
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
