Posted on Nov 20th, 2014 by Reuven Harrison

Did you catch my recent webinar on network segmentation in the enterprise? We all know that segmentation reduces the attack surface and minimises risk for a business. But what isn't always appreciated is that enforcing network segmentation must be an on-going effort of updating and reconfiguring. And in a rapidly evolving modern IT environment, this is becoming increasingly difficult to manage manually.

So is it possible to enforce good segmentation throughout the change cycle without causing major delays to service levels? The answer is of course yes, but there are the familiar road blocks of the 5 C's – complexity, change, connectivity, compliance and collaboration – which we've talked about in the past.

During the webinar we ran a quick poll which suggested that of the 5 C's network infrastructure complexity causes the most headaches, followed closely by constantly changing environment as the major barrier to network management.

As if these challenges weren't enough, the impact of modern IT on network segmentation is significant. Cloud, virtualization and software-defined IT are all happening in a big way in most enterprises.

This poses both new threats and increased opportunities. The concern is that modern IT is more heterogeneous and in constant flux which creates added complexity. It means networks are more dynamic and difficult to control. These days it's easy to spawn a server, app, subnet, router, firewall or VPN all of which is yet another contributing factor to complexity and change. Another evolving challenge is that IP addresses, which can now change on the fly, are starting to lose ground as the primary identifier in security policies and event management. All this is happening at a time when sophistication of modern cyber-threats increases and security risks of modern IT are largely unknown.

Now for the good news! As we've discussed before, the systems for managing and monitoring these changes are getting increasingly smarter too. Modern IT automation creates the opportunity to automate policy and network segmentation so you can continually restrict the movement of traffic across your network and adapt to changes.  IT is becoming more policy and application driven as businesses decide upfront who has access to business critical applications and put the policies in place to manage access. On top of this, data can now be pulled in through APIs to enable smarter network segmentation.

The best opportunity offered by modern IT is abstraction. This offers an effective way to deal with and troubleshoot network complexity by hiding it under a simplified layer. It enables central management and automation while encapsulating existing and forthcoming networking technologies.

Using abstraction, we can concentrate on centralized policy management by defining a central policy (that includes network segmentation). By using abstraction to enforce it everywhere, all of the time the need for manual review of pre-authorized changes is minimized.

Ultimately, this will enable: 'automation with control' or in other words, Security Policy Orchestration.

If an enterprise dares to consider modern network segmentation architecture, it will reap unquantifiable rewards in terms of increased security, reduced downtime and unparalleled efficiency. Some people might say that's IT zen.

Considerations for a NetSeg Architecture

Watch the Art of Network Segmentation Webinar Now