Why network segmentation is ready for an overhaul

The past five years have seen the overhaul of some of cybersecurity’s biggest technology categories. Palo Alto Networks and the next-generation firewall market upended the network security market, companies like Splunk turned SIEM on its head, and next-generation endpoint technology from companies like Crowdstrike and Cylance changed the game for endpoint security.

As these transformations take hold in the market, the question becomes: what comes next? Which technology will be the next one to be revolutionized?

The next category most likely to be disrupted is network segmentation, which allows companies to split their main network into smaller sub-networks to mitigate risks. From a cybersecurity perspective, this means you can have networks with sensitive finance data or customer credit card information on a totally separate network from potential entry points for attack, like an employee’s laptop or your smart building technology.

While network segmentation isn’t new, it hasn’t been as widely adopted across the enterprise. Some of this can be credited to shortcomings of existing technologies for today’s companies, such as difficulty to implement in environments outside of the data center or blind spots like unmanaged devices.

But there are a few signs already that the technology is ready for a revamp. Hackers continue to penetrate company networks, and the ease with which they can move laterally across the network means they are able to cause greater havoc to an organization. Companies are also facing new, more complex compliance requirements and greater risk overall as the attack surface grows due to a rising volume and diversity of devices, including IoT and operational technology (OT) devices. Network segmentation is one way that companies can better handle some of these challenges, or at least limit their risk.

As part of any coming transformation, our industry needs to shift our thinking about what we want from the next generation of network segmentation tools and consider some of the qualifications for these technologies. 

First, we should make sure we are getting the full context of all devices and applications you might want to segment across the full extended enterprise, from campus to data center to cloud and OT environments. Without knowing that context as a baseline, you won’t know what or how to segment. The more granular that context, the more helpful it can be. For instance, it is helpful to know if a camera is a surveillance camera or a teleconferencing camera because you might want different types of policies for each type.

Today, CISOs are challenged when they only get that context in pieces. They may know device types or applications for the data center, which is generally easier because devices are more straightforward, but not across the entire enterprise. But they will need this data as the foundation if they want to apply network segmentation effectively and more broadly.

Second, the future of network segmentation needs traffic context. Very few organizations have the luxury of building their network entirely from scratch. Instead, they’re more likely to be layering network segmentation on top of existing networks. To do that effectively, you need to know what is talking to what. You also need to know what counts as legitimate traffic, as in what should be talking to what. If you don’t have visibility into that, you can’t have full confidence that you can enforce network segmentation rules without breaking anything.

Finally, organizations will be able to use all that context information to create and enforce policies. This is the step that will take us to the next generation of network segmentation. It will set boundaries across the network, segmenting it so devices and applications can only access the data they need and so the blast radius of an attack is contained inside a limited area.

The important thing to note about this final step is that it will likely always be an iterative process. The enforcement of the policies should be dynamic and automated, taking the device and traffic context and using that to stay up-to-date with today’s rapidly changing networks. Older policies may need to be updated to take into account a changing environment. It should also be orchestrated across multiple technologies to account for varying infrastructure, like campus switches, firewalls, SDN infrastructure, and public cloud infrastructure. All of these nuanced changes are possible if you have deep context into the environment. Ideally, we could also simulate these changes ahead of time, so security personnel could test out policies as they create them to see how they might impact the network before they are put into action. You don’t want to break something in the process!

Today’s CISO doesn’t have an easy job. They are grappling with how to get a handle on a growing number of cybersecurity threats, as well as reduce overall risk and meet compliance mandates. The network segmentation technologies of tomorrow might help address those pain points and reduce the scope of an attack. Data breaches are unfortunately a matter of when, not if, for all companies. With that in mind, it is more important than ever to focus on finding new ways to innovate and limit the risk and scope of damage an attack might pose. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.