What is network segmentation? NS best practices, requirements explained

This article was written by an independent guest author.

If you follow cybersecurity current events, you may know that the cost and frequency of a data breach continue to skyrocket. Organizations are constantly under attack, and the shift to remote work is only exacerbating the problem.

According to IBM’s 2020 Cost of a Data Breach Report, most respondents are concerned that identifying, containing, and paying for a data breach is more burdensome today than ever before. Seventy-one percent feel that remote work will increase the time to identify and contain a breach, while almost the same number believe remote work increases the cost of a breach.

The numbers agree: remote work has added $137,000 to the average breach cost.

In 2021 and beyond, reactive security measures—typically cumbersome and costly—are no longer sufficient. Instead, proactive strategies that anticipate potential risks or vulnerabilities and prevent them before they even happen are required.

One such strategy, network segmentation, is critical for any organization. If you’re not deploying network segmentation, it’s time to get started.

zero-trust model. By segmenting network paths, you’re following that “trust no one” brand of thinking.

However, network segmentation doesn’t go far enough in terms of zero trust. As a form of traffic control, network segmentation is considered to be north-south—meaning that any users, applications or devices authenticated into a designated network zone of the network are trusted.  If someone is authenticated to access an entire segment, solely based on physical or logical location, and not identity, more controls are required.

This model of trust can lead to breaches, thus the need for micro segmentation.

Building a micro-perimeter

Without network segmentation, achieving zero trust is not possible. Segmentation allows network architects to define a micro-perimeter around the organization’s attack surface, with virtual firewalls to help automate and streamline security.

For compliance requirements like PCI DSS compliance, network segmentation can be leveraged to isolate sensitive credit card data into a fully secure zone. Inside this protected surface, rules are created to only allow legitimate traffic and deny everything else.

Typically, these isolated zones require virtual firewalls and virtualized SDNs (software defined networking) in order to achieve PCI DSS compliance.

Ultimately, segmentation—when combined with zero trust—creates additional headaches and roadblocks for attackers. When they can’t move laterally within your network, they’re essentially stuck at the perimeter. The more difficult it is for bad actors, the better it is for your organization.