Information is arguably one of any organization’s most valuable and business critical assets. Despite this, many information networks are, for all intents and purposes, flat networks. That is, networks with few flow controls over data which are then allowed to flow freely. This means that the most sensitive corporate or customer data moves through the same network devices as all other company information. This could include things like employee emails and Internet downloads, credit card information, research, sensitive financial information, electronic doctor/patient communications, and any other information that company employees create, receive, download, share, and store.
A flat network creates an open environment in which anyone who gains legitimate or unlawful access to the corporate backbone is unhindered as to where they can go or what they can do. And, even an unsophisticated attack could not only cripple the entire corporate network, but could also allow a data breach of the highest order. Additionally, in a flat network, the same scarce (read: expensive) resources are required to secure the least critical business assets as are required to secure the most critical business assets. Consider that many companies currently spend the same amount of time, effort, and money every year to keep the electronic inventory of cleaning supplies secure as they do to safeguard their most sensitive corporate information.
By simply compartmentalizing or segregating data types into individual-but-connected, protected networks, a company could slow down or even stop an attacker. At the least, an attacker would be limited to attacking or stealing only the information available in the compartmentalized network that they were able to breach.
A segmented network gives the company the ability to allocate scarce resources based on business criticality, focusing more resources on those most sensitive data environments and fewer resources on the least sensitive. It allows for the isolation of protected data, limiting the scope of audits to a specific network segment (PCI DSS encourages this). The segmented network allows for more precise management of mission-critical business resilience based on real, measurable business needs, and for more granular and efficient monitoring and analysis. It facilitates the detection and remediation of breaches, and provides smoother transitions when moving business segments to a cloud or other service provider or when making hardware modifications.
Benefits of network segmentation can include, but are not limited to:
- Ability to apply granular, business-appropriate access controls in segments
- Much more efficient allocation of critical resources
- Greater visibility into network efficiency, bandwidth utilization, traffic patterns, and anomalous activity that can drain company resources
- Easier implementation of business-specific processes
- Application of different network policies (and technologies) based on segment content (wireless and BYOD, for example, can be applied differently as the business requires)
- Technology and tool investment apportionment based on real data, and efficient alignment to unique business needs
Information is an extremely critical asset to any company, and the loss or corruption of that critical information could be devastating to the company, stakeholders, employees, and customers. Critical information cannot be properly protected in an open network environment where disparate data types are co-mingled and managed with the same diligence. In addition to being a recommendation in every government and industry compliance specification, information protection through segregation is a cornerstone of a well-defined information security strategy, a recognized best practice, and a comparatively easy and inexpensive way to gain business efficiencies, reduce risk, and improve business resilience. Among other things, information segregation created by network segmentation eliminates the common practice of arbitrary application of policy, and inefficient use of costly technology resources. Business-appropriate data segregation also provides individual business owners with greater visibility into and influence on information management, providing for more informed business decisions and investments.