Posted on Feb 27th, 2017 by Yaniv Sazman

Network Segmentation Graphic

Today's enterprise network has a great deal with which to contend. Hundreds of change requests are processed by the security team each week, increasing the complexity and size of the underlying policy configurations. These changes span across complex and heterogeneous environments: multi-vendor, multi-technology platforms, physical networks, and hybrid cloud. At the same time, cybercrime is on the rise and the enterprise is no exception, requiring organizations to spend more time and money to secure their networks.

A powerful solution to all these challenges is network segmentation. As an accepted best practice and a common recommendation by IT experts and industry regulators, more organizations are adopting this practice. But when it comes to defining, implementing, and enforcing effective network segmentation, many organizations struggle. How can they guarantee the effectiveness of network segmentation in light of all the complexities of an enterprise network? Here are a few tips to help organizations design and maintain a strong network segmentation practice:

  • Understand the business needs and identify the most important components. For example, Finance or Human Resources typically need their own segment.
  • Define security zones based on network connectivity structure and business needs.
  • Determine who can access what data. If there's unnecessary access to a sensitive area in the network, block or restrict the access.
  • Document all allowed access and create a policy to enforce it.

To implement segmentation as a long-term project:

  • Monitor network traffic starting with the most sensitive segments of the network to determine what is normal and necessary for effective enforcement.
  • Once there is a clear picture of what is necessary, start blocking access in the firewall.
  • Separate the important assets/data by multiple layers within the network architecture, making it more difficult for a cybercriminal to gain unauthorized access to sensitive information.
  • Use firewalls within the data center as well as for traffic going to and from the datacenter.
  • Apply strong, effective policies on firewalls and apply the rule of least privilege: access should only be provided to the user or system that is absolutely needed and nothing else.
  • Perform internal audits more frequently to check if the recent firewall changes potentially compromise security.

Network segmentation is not a one-time job; the steps must be taken on an ongoing basis. The network changes all the time and new business requirements are a constant as well, so it's imperative to ensure that a change will not create a segmentation violation. Using the right automation tools ensures effective network segmentation to reduce the complexity and the time it takes to continuously manage network changes.

Tufin's Unified Security Policy (USP) provides a comprehensive matrix listing all the security zones in an environment and identifying which traffic is allowed between the zones. The USP provides control over actual versus desired network segmentation and highlights policy violations before a change is made on the network so as not to break compliance or expose the network to unnecessary risk.

Maintaining the desired network segmentation is a difficult task given the long and complex rule bases and constant influx of change requests in most organizations. The USP lets organizations centrally manage policy violations and exceptions to streamline operations with continuous compliance and risk management.

Don't let complexities stand in the way of a sound network segmentation practice. When done properly, it is a powerful tool that can help enterprises overcome the challenges of managing their networks.