Network Segregation and Segmentation
Often, organizations that wish to mitigate the security risk of their networks, choose to divide them in separate network segments or domains. When architecting and establishing these domains, the design is typically based on the sensitivity of information, organization of the company, and the associated and necessary trust levels of each segment.
For example, an organization that regularly processes credit card (PCI) information, may choose to maintain all the relevant cardholder data in a segregated network and environment and only allowing access to that environment by individuals or devices on a need-to-know basis. By doing this, the exposure to that information is controlled and limited.
Another example of a usual form of network segmentation is an organization with multiple locations. These entities may choose to segment networks by facility. Again, the exposure to information assets is controlled and limited.
The process of establishing this type of segmentation, however, takes detailed planning. When organizations perform a risk analysis, the sensitivity of the information, the associated risks, along with the allowed access is typically identified. The product of this provides guideposts for design and implementation. Furthermore, the requirements for a finite perimeter must be identified. Once designed, the appropriate firewalls and rules must be implemented to control the access.
While the design and implementation of a segregated network is necessary, it is as equally important to control the access to that segment. To this end, the establishment of access to the segment should be processed using the same request, approval, review, and implementation steps that access to any other sensitive information is provided. Additionally, asset ownership, roles, and entitlements should be established to align with the sensitivity of the assets within the segment.
An additional benefit of network segmentation is the multiple layers of network security that are added. This type of network segregation may prevent a malicious attacker from accessing an organization’s entire infrastructure via one attack vector.
As you plan and evolve your network, consider the segmentation strategy. This additional layer of security may help in preventing attacks and may also limit compliance requirements for non-relevant assets.