The idea of Segmentation is pretty simple: put your crown jewels (i.e. your highest risk assets) in a small container, then heavily secure and monitor that. It is simply too difficult to secure everything equally.
With “digital” drivers to improve experiences, automate operations or change business models, there is now a need to manage data, systems, devices, people, and things from all over the globe. Even if you owned everything, you simply can’t physically get them centralized (into a data center for example) anymore. It’s becoming unmanageable.
Why Does the CEO or Board Care?
Generally, the reason we are seeing that they care is because it is regulation-based. The primary control for virtually every regulation or framework is to segment, for all of the reasons stated above.
Why Would a Line of Business Care?
Digitization requires speed: fast execution. Speed and exponential change often means that processes need to be altered and rules need to be bent or broken. This is a heyday for attackers. Say you are the Chief Marketing Officer and you want to test out a new concept store and integrate new data sources to improve the customer experience. Wouldn’t it be nice to have that contained so it didn’t take six months to get through all of the exceptions needed for IT because it’s a connected system and therefore an increased risk to the entire business? Segmentation gives you the ability to reduce the risk exposure to just a single area.
Why Does IT Care?
Segmentation reduces the attack surface. That means there are fewer places you have to look, and you can do that on a risk-based approach (i.e. focus on mission critical first, business important second, etc.). This reduces the number of people you need (which is a huge issue), the number of systems, and allows you to have one policy and one management across the organization. Studies show (and our experience corroborates) that this reduces costs in the order of 3:1, and more importantly reduces the probability of a full compromise from 75% to 17%.
What’s New in Technology in This Area?
Because of the complexity, this must be done in a software-based method where feasible so you can now secure across enclaves or planes (i.e. you can secure all medical devices across all locations in a hospital vs. dealing with the rest of the lower risk assets, or you can allow Industrial IoT Devices to only talk to other IoT Devices).
What Are the Goals of Understanding the Current State of Segmentation?
- To provide independent verification, ensuring that current environments meet the organization’s security expectations and requirements.
- To analyze each business network separation through interviews, documentation, testing, and observation.
- To educate technical and portfolio ownership on the current security posture in relation to industry best practices around segmentation and how to appropriately apply them within the organization.
- To advise the organization on the potential impact of connected and non-separated business networks.
Does this Apply to Me?
Great opportunities to reduce scope and better manage an environment include:
- Companies that are doing M&A.. This can be used for acquiring and divesting. The ability to quickly move or section off groups from your network improves the speed of the transaction.
- Healthcare with medical devices. With ransomware, there is true fear of hackers disrupting critical care, and most of the devices are un-patchable.
- Manufacturers that are bringing Operations Technology groups online. This enables policy enforcement on the OT infrastructure.
- Anything with IoT because (according to a Cisco study), 92% of the devices delivered have known vulnerabilities.
- A line of business that wants to be in control of their own processes/environments, without having to be slowed down by the rest of IT.
Are you looking to understand the new risks that come with a connected IoT system? Listen to our webinar “IoT Security – Getting ahead of the digital impact to your business.”
Author: Stephen Marchewitz
Stephen has been in the security and risk industry for over 13 years and in IT for over 20 years. He has assisted companies in driving change to ensure clients are successful both in receiving value from products and services as well as managing the security and compliance risks of new projects and technologies. He’s served as an outsourced Chief Information Security Officer for a dozen different companies and consulted to some of the largest companies in the world. Prior to joining TrustedSec, Stephen was the Global Risk Practice Manager in the Digital Transformation Group at Cisco, President and Advisory Practice Lead for a leading information security firm for nine years, a Management Consultant with Ernst & Young, held Technology Management and sales positions with CA and Oracle, and developed new offerings in the insurance industry as an Underwriter and Program Director with Willis Coroon/Chubb in underwriting risk. He is dedicated to helping customers implement the right solutions and services that best meet their business needs, thus allowing them to achieve new levels of success.