Blog

Why segmentation works and how to scale past the data center

Cyber Bob , Principal Security Engineer and CTO at Forescout | November 20, 2019

Have you ever been asked to look around and introduce yourself to the people surrounding you? As you look, you’ll notice that your own business is just like the people around you. Everyone has a common problem. Your business is segmented and organized by function, but your IT infrastructure, and accelerating cross communication, is not. Each of these organizations within the primary business, while supporting each other, have entirely different objectives and requirements for their data, and this also applies to proper network segmentation.

There are some basic requirements that persist:

  1. Encryption at rest and in transit
  2. Limited access
  3. Levels of sensitivity – the more data you have the more sensitive the nature of it
  4. Over-arching regulatory requirements impacting multiple business units
  5. People interacting with data

Each business unit has a data owner. This rolls up to the senior executive and board.

Don’t think that segmentation is easy, whether it’s for your business alignment, data, or network. Segmentation means enforcing rules, and there will be political, operational, and technical considerations throughout this entire process, and everyone must be ready to adapt to changes. Business markets, business acquisition, business adjustment, technical maturity, all of these will cause changes your path forward. So, you are going to require the best network, endpoint, and security visibility. MANY data sources need to consolidate and align, but more on this later. Let’s continue getting you ready for network segmentation.

Do you have the priorities aligned with your internal customer?

Let’s do this first:

  1. Has the data owner actually worked with the CIO to define their data priorities?
    1. What types of data are you managing? People, financial, intellectual, customer or process? (or many other types of data)
    2. Are there specific requirements for the protection of this data? Always align with legal counsel to ensure regulation compliance on top of the customer’s required rules.
  2. What people groups within the business unit can help define sub-data managers?
    1. Is there a delegate to help with the process as you move forward? This will be iterative and will need refinement over time.

Defining priorities can help set service levels and access. Talking with your internal customer will be key to answer those questions:

  1. What happens if you cannot access the data for 1 hour? 24 hours? 3 days?
  2. Are there times of the month or external factors that will change this priority?
  3. What is the hourly cost of lost access?

This will define a better escalation point and understanding for critical operation times, as well as provide insight to what information can be reported back to your customer and when. Align with a great dashboard so they can understand it in context of their business. A critical factor here is making this data as real-time as possible and futureproofing for planned and unplanned outages.

Now, how do you move segmentation out of the data center? Many types of network segmentation are available, including:

  1. Agent-based (or host-based)
  2. Network-based (tag, VLAN, ACL, firewall)

What is best for you?

In reality, most IT environments will leverage some of each.

The challenge is that every vendor will come in and say that Zero Trust can only be done one way. That is NOT TRUE. As a matter of fact, Zero Trust MUST leverage multiple methods to work, especially for scale and ease of operations, and to keep costs associated with network segmentation down.

You’ll hear from vendors that their zone technology aligned with your managed endpoint is the best, cross-functional practice and ONLY aligned with one type of authorization.

This is also NOT TRUE.

Your network, just like your business, is diverse. Therefore, you MUST have multiple tools to accomplish your goals. The best path forward is to have immersive visibility. You will need context of multiple facets to ensure accurate network segmentation.

  1. Network context: What is the port? What is the Wireless SSID? What is the supported configuration? What are the requirements to actually apply the segment type?
  2. Endpoint context: What services is the endpoint using as a client? What services are required for operations that might be used once a day, once a week? Once a month? Once a quarter? If the endpoint is a server, which endpoints are connecting? Which services are used? Are there special requirements for bandwidth or class of service?
  3. Security context: Is the data path secure? Should the route for this particular service or data type be secure/encrypted if required? Or is there encapsulation built into the network services? Is there a secondary encryption requirement to mitigate data leakage due to insider threats? What security technology is in the data path?

So, speaking from a vendor’s perspective, what’s the truth? You must still have one management console to help you make the automatic decisions in order for the network segmentation to provide you complete visibility AND control.

Trust me when I say this – it is not the vendors delivering your network. Or even the vendors delivering your security gateway/firewall. These vendors are part of final delivery and are a part of the data path. What you need is an orchestrated solution that takes accurate information from your CMDB, the network, the security vendors, and the endpoint, and then delivers policy-based decisions on admission.

How can you achieve that?

  1. Define your Groups/Class of Devices. This should start with your business unit discussion.
    • Are there special one-off asset types?
    • Are there special users dealing with data?
    • Are there special requirements for access to types of data, like software agents or consoles, that could be part of the process of requesting access?
  1. Define your device groups. This will include some big groups like corporate-managed Windows devices and some small groups like video surveillance camera systems. Don’t forget your OT, IoT, and unmanaged asset types. This is actually where you will spend a lot of your time, classifying and using as many variables as possible. Not just SPAN or Netflow Data, but other active and passive means of data collection from as many sources as possible. The more clarity to the endpoint, the better.
    • Group unique devices
    • Group unique users
    • Identify overlap and elevation of privilege requirements
    • Identify authentication or manual override strategy
    • Test, test, test!
    • Share real-time KPI’s on dashboards to show the endpoint gaps in data and its accuracy
  1. Find out which controls can be applied in specific places on the network.
    • Does the switch support VLAN re-assignment? Which methods would work well?
    • Does the upstream distribution (firewall or router) support additive methods for network segmentation?
    • What kind of verification could be enforced to ensure segmentation is still applied post-connection?
      • Which methods can allow changes in the case of out-of-compliance status post-connection?
    • Which dashboards can report to the customer whether their data/segmentation is healthy?

And then… crawl, walk, and run

Not all of this can be done easily or at once – organizational shifts take time. People need to understand that something is happening. Tech teams have to adjust to the new process and verify their priorities, as well as available technology. Escalation paths for customer interactions with tech teams have to be tested and strongly communicated.

Start with quarantine, or one big bucket for the largest device and user groups. Do this at one location, expanding the “sterile” segment. Then add another method, and another group. Migrate this to a multi-site segment, then add multiple groups. Add the control and segmentation methods as you go.

All of this MUST be:

  1. Highly visible
  2. Easily traced

Use many methods for visual aids to ensure that the service requirements for users and devices are being delivered. Present dashboards showing that each business requirements and the methods segmenting their data/devices/users are up and rules are now enforced. Showcase exceptions, positive or negative. Give all of this back to the data owners. You can even show them how their own people are being held accountable to align with the new processes. Establish KPI’s and evolve them as the technology and segmentation change.

All of this actually comes from experience. I have worked with very large and successful organizations. Reach out to me, and I will connect you with those customers and let them show you the road of sensible network segmentation ahead, since it has already been paved for you.