Why segmentation works and how to scale past the data center

Cyber Bob | November 20, 2019
Have you ever been asked to look around and introduce yourself to the people surrounding you? As you look, you’ll notice that your own business is just like the people around you. Everyone has a common problem. Your business is segmented and organized by function, but your IT infrastructure, and accelerating cross communication, is not. Each of these organizations within the primary business, while supporting each other, have entirely different objectives and requirements for their data, and this also applies to proper network segmentation.
There are some basic requirements that persist:
Each business unit has a data owner. This rolls up to the senior executive and board.
Don’t think that segmentation is easy, whether it’s for your business alignment, data, or network. Segmentation means enforcing rules, and there will be political, operational, and technical considerations throughout this entire process, and everyone must be ready to adapt to changes. Business markets, business acquisition, business adjustment, technical maturity, all of these will cause changes your path forward. So, you are going to require the best network, endpoint, and security visibility. MANY data sources need to consolidate and align, but more on this later. Let’s continue getting you ready for network segmentation.
Do you have the priorities aligned with your internal customer?
Let’s do this first:
Defining priorities can help set service levels and access. Talking with your internal customer will be key to answer those questions:
This will define a better escalation point and understanding for critical operation times, as well as provide insight to what information can be reported back to your customer and when. Align with a great dashboard so they can understand it in context of their business. A critical factor here is making this data as real-time as possible and futureproofing for planned and unplanned outages.
Now, how do you move segmentation out of the data center? Many types of network segmentation are available, including:
What is best for you?
In reality, most IT environments will leverage some of each.
The challenge is that every vendor will come in and say that Zero Trust can only be done one way. That is NOT TRUE. As a matter of fact, Zero Trust MUST leverage multiple methods to work, especially for scale and ease of operations, and to keep costs associated with network segmentation down.
You’ll hear from vendors that their zone technology aligned with your managed endpoint is the best, cross-functional practice and ONLY aligned with one type of authorization.
This is also NOT TRUE.
Your network, just like your business, is diverse. Therefore, you MUST have multiple tools to accomplish your goals. The best path forward is to have immersive visibility. You will need context of multiple facets to ensure accurate network segmentation.
So, speaking from a vendor’s perspective, what’s the truth? You must still have one management console to help you make the automatic decisions in order for the network segmentation to provide you complete visibility AND control.
Trust me when I say this – it is not the vendors delivering your network. Or even the vendors delivering your security gateway/firewall. These vendors are part of final delivery and are a part of the data path. What you need is an orchestrated solution that takes accurate information from your CMDB, the network, the security vendors, and the endpoint, and then delivers policy-based decisions on admission.
How can you achieve that?
And then… crawl, walk, and run
Not all of this can be done easily or at once – organizational shifts take time. People need to understand that something is happening. Tech teams have to adjust to the new process and verify their priorities, as well as available technology. Escalation paths for customer interactions with tech teams have to be tested and strongly communicated.
Start with quarantine, or one big bucket for the largest device and user groups. Do this at one location, expanding the “sterile” segment. Then add another method, and another group. Migrate this to a multi-site segment, then add multiple groups. Add the control and segmentation methods as you go.
All of this MUST be:
Use many methods for visual aids to ensure that the service requirements for users and devices are being delivered. Present dashboards showing that each business requirements and the methods segmenting their data/devices/users are up and rules are now enforced. Showcase exceptions, positive or negative. Give all of this back to the data owners. You can even show them how their own people are being held accountable to align with the new processes. Establish KPI’s and evolve them as the technology and segmentation change.
All of this actually comes from experience. I have worked with very large and successful organizations. Reach out to me, and I will connect you with those customers and let them show you the road of sensible network segmentation ahead, since it has already been paved for you.
Toll-Free (US): 1-866-377-8771
Tel (Intl): +1-408-213-3191
Support: +1-708-237-6591
Headquarters
190 W Tasman Dr.
San Jose, CA, USA 95134