In today’s world we expect flexibility without compromising security. We may need a crossover with “stow and go” seats and underfloor storage so we can turn it into a van. But we don’t expect its safety rating to drop when we change the configuration. We may need a work space that can be reconfigured into cubicles, team rooms, quite zones, and work cafes. But we assume worker safety regardless of the configuration.
So what happens when we apply a similar mindset to our business? Building new digital processes, moving equipment around, deploying a new application, acquiring another organization, or closing facilities shouldn’t make us more vulnerable to attacks. But it can. Organizations are struggling to identify, contain, and respond resiliently to cyber attacks. At the same time, they need to support increased business innovation and change. Being able to flexibly build new digital processes and adapt to other business changes securely is what we should expect and require for success.
For many years we’ve relied on network segmentation to isolate different parts of the network, using firewalls and virtual local area networks (VLANs) to mitigate the risk of attacks. But this approach lacks the flexibility to respond to changing business requirements. To overcome this limitation we open up the firewall to allow connections, which decreases the extent of control the firewall was designed to provide and leads to increasingly complex rule sets to manage. As such, many organizations have retreated on segmentation, using it only in a few select areas of their network where required for compliance reasons such as PCI.
To compensate for the lack of flexibility inherent in network segmentation, we need a model that lets us think about segmentation independent of the underlying technology. This requires we step back and take a new, strategic approach to segmentation that begins by asking: what is the ultimate business goal, the digital model to achieve it, and the requirements for protection? This allows us to think about segmentation more holistically to include data, user, application, and business process considerations.
So how do we go about this? To develop your segmentation strategy you need to look at both your specific business goals and your risk landscape. A framework that considers identity and trust, visibility, policy enforcement, availability, and resiliency will allow you to move beyond the network layer. Let’s look at how this approach plays out in the healthcare industry, a highly regulated sector recently targeted by destructive malware and ransomware, subject to compliance mandates, and grappling with an evolving technology landscape.
Hospitals need to protect clinical data and devices from the general hospital population and patient population that have access to the network. But the environment in which they operate is extremely complex. Equipment moves around; an array of devices are connecting to the network; patients and care givers need network access; electronic medical records must be protected; campuses and regional clinics need to be connected; and new and acquired facilities must be added while other facilities may be closing. You need to start by understanding all the systems on the network that generate data and the various individuals who need to communicate and have access to that data. From there you can assign permission-level access based on hospital policies and compliance mandates. With levels of trust established you can apply policy enforcement, not just in the network but also within systems and applications.
Organizations in other industries need to follow a similar process but key considerations vary by industry. Financial services firms look at their business based on products and environments (branches and data centers) allowing for communication and access to systems and data while at the same time limiting the ability for an attack to move laterally across the institution. Manufacturers and utilities must consider how they isolate their operational technology (OT) networks from the IT networks, balancing availability and reliability with system integrity.
In each of these examples, defining a strategic approach to segmentation begins by looking at the business in a way that transcends a particularly technology or environment or even process. Business leaders must engage with IT to help define the requirements. And when it comes time to implement segmentation they need to share their understanding of data flows, users, and business processes to make sure technology is applied in a way that makes sense for that business. IT teams can then apply technologies like micro-segmentation, firewalls, virtualization, application visibility, and encryption that work together to provide differentiated controls based on criticality of systems and data and who needs access to what to extend segmentation beyond the network.
Taking a strategic approach to segmentation that adapts to change isn’t as easy as folding away seats to convert your crossover to a van, or even moving around office furniture and partitions to create an impromptu meeting space. But by aligning your segmentation strategy to your business objectives you can be prepared to respond quickly to the needs of the business while reducing risk and protecting data and applications.