Network Segmentation and Its Unintended Complexity
Blog Article Published: 12/03/2015
By Kevin Beaver, Guest Blogger, Lancope Look at the big security regulations, i.e. PCI DSS, and any of the long-standing security principles and you’ll see that network segmentation plays a critical role in how we manage information risks today. The premise is simple: you determine where your sensitive information and systems are located, you segment them off onto an area of the network that only those with a business need can access and everything stays in check. Or does it? When you get down to specific implementations and business needs, that’s where complexity comes into the picture. For instance, it may be possible to segment off critical parts of the network on paper but when you consider variables such as protocols in use, web services links, remote access connections and the like, you inevitably come across distinct openings in what was considered to be a truly cordoned-off environment. I see this all the time in my work performing security assessments. The network diagram shows one thing yet the vulnerability scanners and manual analysis paint a different picture. Digging in further and simply asking questions such as the following highlight what’s really going on:
- How are servers, databases and applications designed to communicate with one another?
- Who can really access the segmented environment? How does that access take place?
- What areas of the original system had to be changed to accommodate a technical or business need?
- What information is being gathered across the network segment in terms of network and security analytics and what is that information really telling us?
- What else are we forgetting?