Segmentation is a network job—and a data-management one, too

If a burglar breaks into your house, wouldn’t it be better if they only had access to a small part of it—maybe just the corner of the basement that holds your Best Sportsmanship trophy?

That’s the idea behind segmented networks: walled-off areas—separated by firewalls, access controls, and authentication hurdles—to protect important assets…like way cooler trophies.

As enthusiasm for zero-trust architecture continues and lateral attacks increase, more organizations are adopting network-segmentation projects. While a number of technologies support segmentation, the beginning of the implementation process calls for less technical, more data-specific considerations to determine what exactly belongs between the gates.

“You don’t need someone accessing payroll, confidential taxes, and personal information on the same server or network by which they’re also coming in to look at publicly available information that’s on your annual report. Separate it,” Michael Orozco, managing director and advisory services leader at MorganFranklin Consulting, told IT Brew.

Segmentation appreciation. Andy Richter, senior solutions architect at Presidio, told IT Brew that he receives network-segmentation inquiries almost every day. “Every client is looking for this kind of effort,” he said.

That effort could include a variety of technologies: Network access control (NAC) performs segmentation on the user-access edge level. Agent-based segmentation offers visibility into the data center and who’s accessing server resources.

Orozco sees a “significant” uptick in segmentation. “It’s because it’s proven to be much more successful in lowering the cost of a breach,” Orozco told IT Brew. (That cost, by the way: $4.35 million in 2022, according to a report from IBM.)

After gaining initial access, an attacker often gains privileges and moves “east/west” on a network in search of sensitive data and other high-value assets. (Just weeks ago, “Royal” ransomware spread laterally through the Windows domain, taking and encrypting data.)

A segmented network gives the intruder only so much room to move.

“We can make an assumption at some point that an adversary is gonna get on a laptop. Why should they be able to move to your production, database tier environment and have access?” said Rick McElroy, principal cybersecurity strategist at VMWare Carbon Black.

But first…governance! Group by likeness and sensitivity, according to Orozco: put data accessed by the majority of employees together and separate sensitive data, like personally identifiable information and trade secrets into a distinctly segmented network.

Determining business risk based on location, internal connections, and accessibility, however, may require more than just the network architects.

“It is very important to closely work with privacy and risk management teams in the organization,” said Rajpreet Kaur, research director at Gartner.

While companies may say they want to begin segmenting, many don’t necessarily want to invest in the people and processes that support a structure that articulates specific access needs, according to Richter. He told IT Brew:

“There is a cost to establishing that level of governance, even before you get into technology.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.