Published February 15th, 2023 by Dan Rheault
We recently released the Security Policy Builder app on the Tufin Marketplace, which empowers any Tufin customer to easily analyze, auto-generate, and maintain their existing corporate network segmentation security policy. And even better, it’s a free tool.
This new app will be a game-changer for network security pros. Let’s review why, and how it can be used to implement an effective access control architecture across the network. But first, let’s discuss the value and objectives of network segmentation.
Why is network segmentation important?
Network segmentation is a critical aspect of network security. It involves defining network segments into common groups based on like characteristics. For example, most organizations might segment their PCI zone from their network to ensure they align to the standards set by the PCI-DSS council. Security pros may then further segment their PCI network into PCI Web, PCI App, and PCI Data zones, and specify which zone can access the others, and how. This type of network segmentation is critical to demonstrate PCI compliance and is generally one of the easiest examples of network segmentation best practices to implement because it’s prescriptive (in this case, it prescribes that only the corporate network should be able to communicate with the PCI zone, and never should the internet communicate directly with the PCI zone).
OK, so how do you define network segments?
Let’s consider traditional network security best practices. Network segments are groups of IPs, subnets, or security groups of like characteristics. On the most basic level we might define network segments for Internet, DMZ, and Internal. When we define these network segments, all public IP addresses (with the exception of your organization’s public facing addresses) are likely your internet zone. Your DMZ zone is pretty self-explanatory, and the corporate network is the remainder of your address pool and clouds.
But simply defining a corporate zone isn’t sufficient for most organizations. There are regional compliance requirements, companies have proprietary information technology with unique vulnerabilities exploitable through specific services, and there may also be logical isolation between networks (e.g. accounting information should only be accessible to accounting, the CFO, and CEO to prevent the loss of sensitive information that could be used to manipulate the market or inform of stock play on earnings).
Often these types of segmentation are assigned via security groups in the cloud, and are going to be assigned subnet ranges maintained in an IPAM or DDI solution. IPAMs often serve as the single source of truth of the network estate, while the relevant cloud console maintains the inventory of your virtual infrastructure. But often these networks are assigned by more than a naming convention, and use one or more extensible attributes such as trust, region, business entity, and many more.
Fortunately, Tufin customers can already automatically populate and maintain network segments based on DDI/IPAM data via Tufin’s IPAM Security Policy App, or manually establish and maintain these in our base component of the Tufin Orchestration Suite SecureTrack.
If you’re still confused, you can watch a webinar I hosted that describes this in greater detail.
Beyond Zones… defining access-based security policy
Once network segments are defined, the security team will define what constitutes non-risky vs risky access between network segments (if network access should be granted at all). For technically prescriptive compliance models like PCI and NERC, there are not many requirements to interpret but rather a documentation exercise.
However, corporate access-based security policy is probably the most challenging network segmentation model to define, implement, and maintain. Here’s why.
When I speak with customers about how they defined their access-based security policy, it often goes back “generations” of employees. Those that defined the initial security policy are likely no longer with the company, and they’ve passed the security policy to others via tribal knowledge. When someone needs to review an access request to open new ports, it’s often someone gazing up into their mental faculties recollecting if the requested access is appropriate, and then making a decision. And when they move on, the next person in line takes the mantle, mentally absorbs access security policy models, and makes their judgements.
This is obviously not ideal. People leave their jobs, networks change, and the Word doc created seven years ago to document access security policy hasn’t changed since its initial draft. This is a very real cybersecurity problem. Security policy enforcement requires consistency and an immutable audit trail.
A new way to define access-based corporate security policy
Tufin’s Security Policy Builder app is the industry’s first network segmentation tool that enables security pros to easily analyze access between segments throughout the network (cloud and on-premises), to create a visual model, and – most importantly – to recommend a comprehensive access-based security policy based on the analysis of existing access and zones as well as industry leading best practices.
This means that all the historical decisions regarding access are translated into a risk framework purpose-designed for network segmentation, which security pros can evaluate, adjust, and implement within Tufin SecureChange.
Once deployed, any available access that is a violation of security policy is identified for disposition by network security (e.g. decertification, removal, designation as exception for tracking). Additionally, any new access request is assessed for risk not only based on accurate network segment data, but also the organization’s accurate access-based security policy.
The result is that security pros have the ability to effectively measure, manage, and maintain their corporate access-based security policy to minimize the network’s attack surface vulnerabiliites and subsequent risk of breach.
Maintaining an effective security policy
There are three certainties in life, and one of them is change. Corporate networks will change. Businesses are acquired and merged, offices are opened, networks are expanded, and lines of business grow. Throughout all of these changes, the access you allow will change as well. For this reason, so too must your access-based security policy.
One of the most valuable aspects of the Security Policy Builder app is the ability to incrementally adjust your access-based security policy based upon the changes your security team have allowed over time. The app enables security pros to easily review access changes on an incremental basis to determine if the existing security policy should be adjusted. Let’s consider an example.
Let’s say we open a manufacturing plant in the U.S. that utilizes newly introduced robotic systems to produce goods. These systems are run through home-grown software, and for these systems to communicate we need to enable RDP between our manufacturing user network segment and the plant (expecting to add more plants along the way). Historically RDP is risky access so we wouldn’t allow it across the network, so each request is routed to security. However, if we find that we have been historically allowing this access each time it is requested between our defined zones it’s likely this access is not high-risk, but rather access we would only allow between these zones.
Such incremental analysis is important to maintain the accuracy and effectiveness of an access-based security policy, because it means that security pros can rely on the accuracy of any access violations they receive from Tufin, and it also reduces the time for access request processing (which helps the business reduce risk while increasing operational efficiency.)
Get started building
The Tufin Security Builder App tool is available now on the Tufin Marketplace, free of charge. Customers using the Aurora version of Tufin Orchestration Suite can start leveraging the new app today to design, build, and manage their access-based security policy. And if you’re a customer using our classic version of Tufin Orchestration Suite, please check out the upgrade planner so we can plan for your upgrade to the most advanced network security policy management solution available.
Don't miss out on more Tufin blogs
Subscribe to our weekly blog digest