Network Segmentation in the Age of the IoT

Safety concept: Closed Padlock on digital background

In-brief: Segmentation is a well established approach to securing your data and IT assets. But have you assessed your approach to segmentation in light of new technologies and business models? Scott Harrell of Cisco’s Security Business Group, writes with some pointers on adapting segmentation to the demands of the Internet of Things. 

Growth in connectivity, digitization and the Internet of Everything (IoE) is creating a Digital Economy and new business models that are fueling new opportunities through greater speed, efficiency and agility. As meaningful connections continue to multiply, security practitioners are under serious pressure to develop policies that allow their organizations to participate in a secure Digital Economy.

I meet on a frequent basis with several IT and security professionals. Regardless of what part of the world I am in, or the size of the organization, one thing is common – security professionals want to enable business growth, minimize risk and deliver the best possible security they can. Many are starting to utilize software defined segmentation as part of their strategy to protect critical business assets without impeding productivity or connectivity.

[Read more of Scott’s writing about security, networking and Internet of Things here.]

Scott Harrell_Cisco
Scott is a Vice President of Product Management at Cisco Systems.

The creation of IP enabling networks has unleashed a wave of productivity and innovation. This model of any to any connections is now the very same model being leveraged by adversaries to maximize the impact of any intrusion. Software defined segmentation allows us to preserve the productivity gains from IP connectivity while eliminating much of the risk of having any to any connectivity. It can limit the scope of an incident, and enable rapid response to threats across diverse and extended networks.

Earlier this year, I wrote about how the Internet of Things (IoT) is driving practitioners to rethink their network segmentation strategies to ensure that new connected device types don’t compromise the overall security of the network. For those of you revisiting your strategies, it’s important to note that there are many approaches that can be employed but not all approaches are created equal.

Choosing the right one is imperative to ensuring the proper security posture. For example, if you ran a hotel, you wouldn’t give a guest a key that opens every room on single floor and yet often that is what we do in IP networks when users or devices have proper authorizations for a particular VLAN or set of VLANs.

Simplicity is Key

Business demand for cloud services, mobility and the IoE has created exponential network growth and complexity. Each new user, device and data connection represents a new potential attack entry point. To retain control of a growing attack surface and keep pace with the growth in connectivity, user endpoints and diversity of machines on the network, organizations must adopt an approach that simplifies policy management and does not require the time and cost burdens of a network redesign every time a new entity is deployed. Below are a few criteria to consider to ensure you adopt a method that allows you to isolate and contain threats quickly in a way that reduces complexity, applies consistent policies across the network and decreases operational expenses.

A Bias for Flexibility

To make security operations more efficient and enforce segmentation policy consistently across the network you need a solution that works seamlessly with your networking infrastructure. The solution must provide a common method for abstracting the provisioning of extremely granular segmentation across your routers, switches, access points, and firewalls. It must be able to scale and segment your network all the way down to the machine or user while still remaining flexible enough to proactively respond to the dynamic nature of networks and devices. Being able to do this in a uniform method enables you to get the most out of your investments.

Many attackers are no longer seeking to just exfiltrate data or steal money. Now they can also seek to destroy, hold for ransom, or render useless as many devices as possible that are connected to the network. In the case of laptops or servers, the impact can range from a nuisance to severe business impact. In the case of critical infrastructure this can cause catastrophic and life impacting damage. By leveraging software defined segmentation capabilities, when hackers do make their way into your network, they can no longer move freely about greatly limiting the scope and damage of any breach.

Articulate…and Automate

Traditional network segmentation approaches use IP-address-based access control lists, (ACLs), VLAN segmentation, and firewall policies that require extensive, manual maintenance. As more applications are introduced, ACLs and firewall rules based on IP addresses tend to grow exponentially and become very hard to audit. ACLs create policies that are static, tightly coupled with the network topology and cannot describe policy in English language. Management of the segmentation policies is manual, with the risk of rules being mis-configured.

For industries such as health care, retail or banking with highly sensitive data to protect and extended network operations that span multiple branch offices, this approach introduces significant challenges. Each branch office that a policy applies to needs to be identified individually because each site has its own addressing scheme, making policy management for those branch offices tedious and time-consuming.

Selecting solutions that allow business language policies to be created and then automatically applied and maintained in a pervasive and consistent manner across the network simplifies the control of the user and applications interactions and can help to alleviate many of these headaches. Security professionals are under tremendous pressure to defend against threats that take only minutes to infiltrate the network and steal valuable intellectual property. In a world where reducing the time to detect and remediate threats is crucial to achieving better outcomes, software defined segmentation is well suited to address changing business demands, apply sophisticated policies at scale to keep pace with the growth in connectivity, and unforeseen risks that digitization will continue to present.

Scott Harrell is the Vice President of Product Management in Cisco’s Security Business Group,

Comments are closed.