12) Has your organisation implemented segmentation or segregation in your networks and/or cloud environments?
Answer yes if your organisation has appropriately segregated its network or cloud environments to restrict the level of access to sensitive information, hosts, and services. Examples include segregation of production systems from systems being commissioned or decommissioned and systems under test; segregation of systems with different security levels (e.g. those processing sensitive personal data or financial data are segregated from other business systems) and segregation or segmentation of services used by different subsidiary organisations.
What is the control?
Segmenting networks is a good way of limiting what can happen where. Just like a home has different rooms for different purposes, so should a network.
In the DMZ control (control F7), we covered why it is a good idea to have a separate network segment, between the main internal network and the internet, wherein to put systems that could be connected to directly from outside. This way, if one is compromised, it’s still logically separated from the internal network.
There are reasons why your internal network should be broken down into segments too. You may want to separate development, testing, staging, and production environments to maintain the integrity of the production environment and data being processed, for example. Or separate different groups of desktops such as those from Finance and your Graphic Design department as there’s no need for their systems to be on the same segment with full connectivity between each other. You may choose to provide a completely separate network for guest access. There may be technical reasons such as having separate network segments per floor to optimise network switching and routing performance. You may have different geographical areas or have offices in different countries with different perceived levels of risk or legal requirements.
Why should I have it?
Segmentation allows you to separate parts of your network that don’t need full access to each other and implement controls between them, which potentially mitigates the impact of breaches by restricting their spread. The controls you implement between network segments will prevent an attacker moving easily from one segment to another. Segmentation can also help optimise network performance, mitigate breaches, and simplify compliance requirements. For example, it’s typically far more economical to place credit card processing infrastructure in a separate segment so that the scope of your PCI compliance requirements can be limited to that segment.
Compliance aside, you can group any systems of similar criticality together to create segments where you can concentrate security, or implement specific controls, to monitor the highest risk systems, instead of having to maintain the same high and costly level of controls across your entire estate.
Finally, it allows you to delegate authority and management of different parts of the network, which can be essential to being able to sustainably scale.
How to implement the control
There is no perfect way to do segregation but, in general, environments with different purposes should be in different segments. You will likely also want to group systems with different levels of importance or criticality (or different compliance requirements) so that you can more effectively allocate the right level of security functionality and monitoring where it’s needed.
Whichever criteria you choose to base your segmentation decisions on, ensure they are well documented in your network security policies and ensure that your processes around provisioning systems include these considerations.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
