Relying on a DMZ to protect your network and data is like putting money in a bank that depends on one guard and a single gate to secure its deposits. Imagine how tempting all those piles of money would be to those who had access -- and how keen everyone else would be to obtain access.
But banks do not keep cash out on tables in the lobby, they stash it in security boxes inside vaults, behind locked doors, inside a building patrolled by a guard and secured by a gate. Likewise, network segmentation offers similar security for an organization's assets.
The need for network segmentation has been widely discussed for years, but it remains one of the less commonly implemented security steps, and is seldom employed as a strategic defense. When a recent poll asked IT professionals to describe their network segmentation, a mere 30% of respondents said they strategically set segmentation around business drivers for the latest threats. Another third of respondents said they "set and forget" their segmentation, and an equal number reported they occasionally revisit it -- typically around audit time. A brutally honest 6% said, "My network what?"
The string of recent security breaches should drive home the importance of having carefully implemented and well-maintained network segmentation. If properly set and maintained, network segmentation would have made the long road from procurement portal to cardholder data environment far more difficult to travel in the Target breach, which exposed 40 million credit card numbers, and could have significantly limited the damage in the recent Home Depot breach, which compromised 56 million credit cards. Proper segmentation could also have limited the impact of the Community Health Systems breach, in which 4.5 million patients' personal health information and personal identifier information (PHI/PII) were stolen.
Effective network segmentation is a big undertaking, but it boils down to just five basic steps.
* Understand the business and organizational drivers. To know what to protect, you need to understand how revenue enters the business stream and what front-end components, such as point-of-sale terminals and back-end components, support the core functions of the enterprise. Then, identify which assets, data and personnel are critical to ensure continuity of the business.
* Create the plan. You want to classify, isolate and protect the most important components. Group related items together, for example all your Windows servers, into one virtual LAN (VLAN). Other asset groups might include infrastructure (routers, switches, VPNs and VoIP) in one VLAN and security assets (IDS, firewalls, web filters and scanners) in another.
Financial or human resource servers typically need their own VLAN because of the confidential nature of the information they process and store. You want separate VLANs for groups of personnel as well, so Windows server administrators might be in one, while security administration are in another and executive management in a third. Data requiring special protection such as credit card numbers that need to comply with PCI-DSS or patient information that is subject to HIPAA should be isolated from other data and put in their own VLANs.
Sign up for CIO Asia eNewsletters.