A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting an enterprise’s assets. Flat, unsegmented networks architectures can allow nosey insiders to easily access sensitive information, while also enabling attackers to move laterally, escalate privileges and spread malware. Segmentation breaks the network into more logical segments and introduces new layers of control and the ability to apply tailored policies for each area.  

However, each of those segments often shares the same problems of a flat network, and thus the trend has been to slice the network into ever-finer segments and microsegments. And while this sounds good on paper, it gets complicated quickly for the teams who have to implement it. Staff are forced to devise a labyrinthian set of rules to divide the network into these smaller and smaller segments.

Sponsorships Available

Sponsorships Available

Sponsorships Available

And as anyone who has managed firewall rules can attest, rules tend to grow in complexity over time. Protocols, applications, assets, and employees are constantly changing, and segmentation rules likewise grow organically with changes. In the end, each rule is an amalgamation of small changes made by dozens of admins, with no one truly being sure that its having the desired effect. Give it a little time and throw in a few company acquisitions and network mergers, and you have an inscrutable set of rules, where no one is truly sure that they work.

Building a Simpler Mousetrap

The good news is that we have other options that can deliver fine-grained enforcement of security policies without the complexity of excessive segmentation. Instead of trying to define policy solely in a network context, we can take a step back and look at what we want to accomplish with our policy. We want certain users to have access to certain assets, and we want that access to be delivered in specific ways.

Conditional Access

A security and conditional access platform, like Preempt offers, lets us define segmentation in a much more natural way. We can set access rules based on the user, their group membership, their privileges and can control access to any type of asset. We can further add notions of risk, user behavior, and signs of threats to the policy, which can adapt over time. We can also become more flexible. Instead of simply relying on Allow/Block rules, we can trigger conditional access such as MFA if we see something that is risky or abnormal. 

Legacy applications and older protocols are often the most exploited at large enterprises, and network architects should design their security strategy to encompass cloud, hybrid and on-premise environments. Security teams should consider the universal challenges presented by legacy applications, domain-joined workstations and an eroding enterprise perimeter exacerbated by increasing network complexity and a proliferation of endpoints and devices.  

Enlisting Dynamic Policy

Conditional access can simplify the challenges of network segmentation. Creating identity-based segmentation rules within the Preempt Platform are simple to configure and understand, while being dynamic, and they remove the requirement to add more infrastructure such as firewalls, switches, ACLs and other tools, which also need to be maintained and patched. By utilizing policies based on identity, behavior and risk that trigger active enforcement, security teams can allow the right users to access the assets and applications they need, while stopping threats and better maintaining business operations and efficiency.

Becoming Agile and More Efficient

One approach that has worked well for our customers is to leverage traditional network-based segmentation for primary access restriction use cases but for more granular use cases, rather than over-architect the process, they have been able to take advantage of Preempt’s identity-based segmentation which allows them to be prescriptive and agile.  Leveraging user behavior and changing risk (changing user contexts, password issues, and more) as opposed to defining everything with a long list of rules based solely on IP range and subnets, can provide greater efficiency while ensuring secure access.