Hazardous Network Segmentation: When More Isn’t Better

Welcome to the last blog post in our special series, Mitigating Gartner’s Network Security Worst Practices.

Under and over-segmentation of networks is among Gartner’s “Dirty Dozen” Network Security Worst Practices. We know that these two extremes pose different challenges to organizations, and finding the right balance is essential to providing security while supporting business agility.

The risks posed by undersegmentation are clear enough. In the “old days,” organizations established a perimeter firewall to keep the bad guys out and that was it. We called it “crunchy on the outside, chewy on the inside.” As a result, many companies found their networks chewed up and key data breached. Obviously, the problem here is that a single breach of the outer firewall makes the entire network vulnerable.

So to block free access to all the organization’s “goodies”—credit card information, patient data, intellectual property and such—security teams implemented network segmentation. By creating zones or segments with their own additional protection or layers of defense, they limited the ability for “nefarious actors to access systems via lateral movement in the environment,[1]” as Gartner puts it.

But there can also be too much of a good thing – in this case “microsegmentation”. I suggest that we think of “microsegmentation” as analogous to “micromanagement”: good intentions that can sometimes create an unworkable situation. With an excessive level of segmentation, the costs and time required for day-to-day management make it unmanageable, and both the business’ agility and security suffer.

To get an idea of the scope of work involved in maintaining microsegmentation, consider that you have to define what you want to allow between each pair of zones. If you have 50 zones in a network, you have 50 x 50 or 2500 policy choices to make. That’s quite out of control. Now imagine what could happen if you had a zone for every few servers:  the calculations and policy maintenance are far beyond human capabilities. In real life, you want to maintain fewer than 15 to 20 zones. If you get much beyond 30, you’re deceiving yourself in thinking you can manage them.

So what can you do? In this recent article in Network World we provide some practical tips to help you get started with network segmentation. However, you need to remember that Network segmentation is a significant, wide-reaching undertaking that requires considerable ongoing management involvement and commitment. But there are technology solutions that can help. AlgoSec’s security policy management suite can simplify the complexity involved in defining, deploying and enforcing the security policies that are at the core of your network segmentation strategy. Furthermore it can help avoid disruptions and limit the risks caused by accidental firewall misconfigurations. And as your business needs evolve, AlgoSec’s unique visibility and automation will help you effectively ensure the integrity of your network segmentation strategy while responding to business initiatives.

About the Mitigating Gartner’s Network Security Worst Practices Blog Series

In this special blog series we’re taking a deeper dive into the network security worst practices identified by Gartner, and are examining how each of the 9 worst practices that we specifically address can be mitigated using automated security policy management.

[1] Source: Gartner, Avoid these “Dirty Dozen” Network Security Worst Practices, by Andrew Lerner, Jeremy D’Hoinne, January 8, 2015.