Security through Segmentation: Reducing Scope, Risks and Costs

By - November 10, 2013

I recently saw an episode from one of those “caught on camera” television series that featured a group of thieves attempting to rob a jewelry store.  What intrigued me most about this particular footage was the layers of security deployed by this particular jewelry store.  Once the store owners had perceived these individuals as a threat, they retreated to a safe room and activated an alarm.  This in turn triggered bulletproof barriers to drop across several entrances, the front door to lock and an alarm to sound.  The thieves made an attempt to break through the barriers and display cases only to find they too were made of bulletproof glass.  They then smashed the cash register and grabbed what they could from the few cases they were able to finally access.  They then focused their attention on escaping from the store which also proved to be very difficult given the locked door and bulletproof glass.  Just as they were finally able to break through the glass of the door, police were waiting outside to apprehend them.

I’ve seen my share of these television series and in most episodes that featured jewelry theft, the thieves came through the front door and smashed through the display cases taking what they wanted before leaving the same way they came.  What made this store different was the bulletproof glass and security doors inside the store and the fact that the thieves were caught prior to leaving the store.

How does this relate to network security?  Actually, there are several similarities that can be made.  The main entrance and bulletproof glass of the street facing windows could be compared to a border firewall.  The motion sensors and glass break detectors we will call our Intrusion Detection System and the cameras in many ways serve as event logging.  Unfortunately for many businesses, that’s where the similarities stop.  Once an intruder is beyond the border firewall/IDS system, there are typically very few measures in place to restrict their movements within the internal network.

I believe the best defense against a potential attacker is to never allow the attacker to “touch” the device in the first place.  We have seen time and time again how malware spreads between systems that never had a need to communicate with each other utilizing ports that were never really required.  Does Sally’s PC in the finance department really need to communicate with Fred’s PC in marketing?  Most organizations are shocked to learn what little network traffic is really required compared to all that is allowed.

Segmentation can reduce the scope of certain audit requirements which in turn can reduce costs for an assessment.  For example, the PCI DSS standard dictates that all systems, applications and processes that have access to credit card information will be considered within the scope of an audit.  A flat network topology by default can provide access to protected data from systems without any need to access it.  Segmenting the cardholder data environment from the rest of the corporate network reduces the scope of the audit to only those devices within the cardholder environment.

Introducing segmentation within an internal network may seem like a daunting task but in reality it doesn’t have to be that difficult.  Developing a data classification policy is the first step followed by an access policy that defines traffic flow between different classifications of data.  The access policy will then determine what hardware components (if any) will be needed.  Many organizations already have components in place to begin segmenting their network with only configuration changes.  The key to success is understanding where data currently is within the network, developing clear and enforceable policies and creating a migration plan to the new segments.

Back to the jewelry store, those barriers did little to stop the thieves from smashing the display cases, kicking in doors and cracking the windows, but it contained them long enough to prevent the thieves from escaping with the jewelry.  What are the “jewels” within your network and what barriers are in place once the thieves are beyond your front door?

For more information on network security please contact McGladrey’s technology consulting professionals at 800.274.3978 or email us. In addition, please check out our offerings on our website.

Scott leads the national network and unified communication solutions team, which encompasses network cyber-defense technologies, transport systems and unified communication platforms. Prior to joining RSM in 2003, Scott worked for a software company as a senior network engineer where he was responsible for the design and implementation of data and voice networks to support financial transactions in excess of over $1 million every minute and up to 800,000 online traders. Scott also has an extensive background in network design and architecture. He has designed infrastructures to support both front and back-office financial transactions with a variety of firms. Scott has great discipline in the field of network documentation and operational procedures. He has created web-based systems to capture network-based move, add and change requests, and a live documentation management system. He also has detailed experience for the implementation of network monitoring and management tools from a variety of vendors. In order to accommodate government regulation of financial-based networks, Scott has designed networks for five nines of availability. During his employment with a software company, the core network designed by Scott was able to switch all 800,000 users and over a dozen back-end connections to a remote recovery facility in less than three minutes. Switching services to the remote facility was performed once per month to ensure clients of the business continuance plan.

Receive Posts by Email

Subscribe and receive notifications of new posts by email.