Take a Strategic Approach to Security Segmentation

February 16, 2016 - 4 Comments

[This post was written by Pavan Reddy, Customer Solutions Director, Cisco Security Services]

You’ve read the stats: by the end of the decade, the Internet of Everything will result in 50 billion networked connections of people, process data and things. You don’t need to look far to see it come to life in your own organization. With increased digitization comes an exploding number of devices and applications gaining access to your network, creating more data to secure and new attack vectors for malicious actors to exploit.

At the same time, you are increasingly required to demonstrate to organization stakeholders and board members what you’re doing to protect your organization from pervasive, innovative cyber threats. In this year’s Annual Security Report, 92% of the respondents agreed that regulators and investors will expect companies to provide more information on cybersecurity risk exposure in the future. Business leaders are also anticipating that investors and regulators will ask tougher questions about security processes, just as they ask questions about other business functions.

Already you may be required to meet audit requirements for protecting and isolating sensitive and personally identifiable information, like Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA). Or your organization may be pursuing a business strategy that requires an increased numbers of suppliers, partners and third parties to access your networks. What is your plan to ensure only those with the right credentials and identity can have access to the right assets and at the right time?

Our Cisco Security Advisory Services experts have worked with many customers who have employed network segmentation approaches as a way to address these questions. But, those approaches are inadequate because their security policies are flat – they expose their organizations companies to risk, for example when production and nonproduction, as well as sensitive and non-sensitive data, are mixed. Or they’ve created overly complex segmentation schemes that complicate audit and compliance processes. At the same time, data and systems need to be available to carry out the work of the organization. A different, more strategic approach is needed.

Fortunately, next generation technology like Cisco Identity Services Engine, TrustSec and our new fully integrated Cisco Firepower NGFW exist today to implement flexible security controls in your network. You can build a network segmentation strategy that isolates environments and critical systems from other areas of the network and makes it harder for threat actors to take advantage of weaknesses in the infrastructure. You can now combine the tools and technology with your processes and priorities to create a strategic segmentation framework that will support your business objectives.

To help you build out this strategic framework, we’ve introduced a new Security Segmentation Service, an Advisory Service within the Cisco Security Services portfolio. This service provides a strategic infrastructure segmentation approach for our clients that allows organizations to reduce risk, simplify their audit profile, protect data, and achieve a defensible position for board-level requirements in a hyper-connected and complex environment.

Our Security Segmentation Service:

  • Is customer specific. We work with you to develop a model that takes into consideration your specific privacy, security, and business needs.
  • Extends beyond the network. The service blends a top-down-driven information security management system with an adaptable, metrics-based framework. We look at your entire network architecture, plus much more: for instance, your application data flows, any cloud services you’re using, your HR policies for access to critical data and assets, and your intellectual property. We help you apply differentiated controls over different systems and data.
  • Incorporates reusable design patterns. We develop a design you can reuse as your business changes, so you get sustainable and measurable results.

cisco segmentation

Even if you have policies in place that provide guidance and security around protecting critical assets and data, we often find that users who have changed job roles have increasingly greater access to systems and data than needed, and terminated users still

have credentials for many systems. Inconsistency in classification of users, data, and systems results in pivot points where attackers can access data and systems with high business value.

The purpose of segmentation is to simplify the application of security by using a centralized management point. Once this process is in place, it reduces complexity and requires very little maintenance.

We encourage you to learn more about how Cisco Security Services can help you uncover new ways to think about securing your business as you take advantage of an array of emerging business models.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. What is meant by the term “their security policies are flat”? I understand a network can be flat, but a flat security policy is a new concept to me. Please explain.

    • Hi Diego – good question!

      By “flat” we mean that an organization is applying the same security policy generically, i.e. across the board regardless of location within the network topology, type of data, and/or type of application.

      • Thanks for clarification John. Do you have any reference to this term/concept? Or is it something invented for this article?

        • Hi Diego! The term “flat” in the post is not meant to be a technical term but is just being used to describe a segmentation plan that turns out to be inadequate, and which does not have the depth of segmentation applied that is required to meet business requirements. Does that help? Thank you for your interest in Segmentation Services!