#14 - It’s Time to Think Differently About Segmentation

As data breaches continue to significantly multiply, so security becomes an even bigger priority for organisations dealing with sensitive data. The network perimeter, which is the boundary for both the private and the public sides of the network, used to be considered impregnable. However, now it has been degraded by advanced threats and an explosion in the number of connected devices (and applications running on them) connecting to a plethora of applications and services located in a multitude of different locations. As a consequence, a new generation of predatory malware attacks are now getting through the traditional network perimeter.

Everything and everyone is accessible

Since the dawn of the networking era, enterprises built open (flat) networks to offer every user access to almost every application. Many of these networks are global, spanning business units and national boundaries with unprecedented connectivity. Which is good, right? Because this means that everything and everyone is accessible. However, today that very same access is now available to our adversaries. In fact, some enterprise networks have become a kind of playground for hackers in that they offer up everything to everyone with minimal effort, not even the need to wait in line. With a few easily available tools or tactics adversaries can penetrate business critical applications and data. Put simply, all they need to do is compromise one of a growing population of connected devices.

From that single compromised device, attackers can then access other devices, servers and even printers to establish a robust foothold inside the network. From there they search for privileged users to get privileged access to servers, applications and data. Security professionals have been advised to segment their networks in order to defeat these types of compromises, but traditional network-based segmentation approaches have failed. Data centre segmentation is only effective if combined with a method to control user access to data centre partitions, which is difficult-to-impossible using traditional network segmentation techniques. Even if security professionals segment (or isolate) applications so they cannot be easily reached by adversaries, yet still be reachable by employees, the problem is that this still provides too much access, which results in stolen credentials, and the ability for compromised devices to access servers from inside the network.

Drilling deeper into segmentation

So yes, segmentation has become the new perimeter strategy, and it should begin with the protection of applications and servers from attacks from compromised endpoints. But Chief Information Security Officers (CISOs) have been “educated” by PCI compliance to think of server segmentation as a priority, instead of protecting servers from the most common threats.

“Traditional network segmentation, both in the data centre and the access network, is ineffective at thwarting adversaries’ ability to move laterally through the network to access valuable data, once they gain an internal foothold.” Unfortunately, this kind of segmentation does not set a proper barrier at the interface between users and servers.

So what kind of segmentation does help to prevent risk?

“A trust-aware access control barrier. Its access control system acts based on deep and extensive knowledge about the user, the device being used, its location, and the sanctity of the software on that device.”

The barrier can verify users’ identity by using a multifactor method, authorising the use of an application before they access it. Also, as mentioned above, the access control system can verify the client security software to make sure it is secure and not compromised or compromising. Besides, the trust-aware access control barrier prevents adversaries, who are trying to get access to servers, applications and data by gaining a foothold, from proceeding any further.

By deploying a “trust-aware” boundary between the corporate access network and the data centre (or other areas where servers are deployed), zero-trust partitions can be deployed economically to insulate critical applications from compromises and attempted breaches that might be occurring throughout other areas of the corporate network.