[BreachExchange] Six Steps to Segmentation in a Perimeterless World

[Destry Winant]

https://www.securityweek.com/six-steps-segmentation-perimeterless-world

Setting Objectives and Having a Clear Roadmap is the Best Path to a
Successful Network Segmentation Journey

Organizations have talked about segmentation for years as a strategy
to improve overall security posture. While widely considered a
security best practice, in today’s dynamic environments where the
network perimeter is ever-evolving, segmentation can be challenging to
implement, scale, and manage. A combination of new connected devices,
changing business models, expectations for guest access, regulatory
requirements, and evolving threats can make it a complex undertaking.
Furthermore, you need a holistic approach that covers the campus, data
center and cloud – anywhere an endpoint connects. Otherwise, you risk
ending up with multiple segmentation strategies that compound
complexity and may negatively impact security and user experience.

However, you shouldn’t let this reality prevent you from moving
forward. As Henry Ford said, “Nothing is particularly hard if you
divide it into small steps.” Coming from the person who transformed
factory production and was a driving force behind the industrial
revolution, this advice carries some weight. In that spirit, I want to
share six steps to successful segmentation. Whether you have in-house
staff who can drive your segmentation project or are considering
third-party advisory services, these activities are critical to
success.

In part one of this two-part article, I’ll cover proper planning and
preparation. These activities will help ensure you create a
segmentation strategy that is aligned with your business goals and
drivers, and accurately defined to reduce security risk and strengthen
security posture. With the right plan in place you’ll have a clear
understanding of how you will accomplish your objectives and be better
able to set expectations for the segmentation program.

1. Define Objectives. Setting objectives and laying out a clear
roadmap is the best path to a successful segmentation journey. To do
this, you need answers to critical questions, including:

• What business and security drivers are behind the segmentation initiative?

• What practices do you have in place to define asset classification?

• What assets are critical to your business?

• What threats are common in your business vertical?

• How are you leveraging technologies and processes to address those threats?

• Does your technology roadmap include an element of security?

• What are your top business priorities and how do they align with
your current security initiatives?

• What are your pain points?

This information helps define the high-level strategy by gaining an
understanding of business goals and drivers, critical business assets,
known risks, and an overall understanding of the current enterprise
security posture. This in turn helps you to determine next steps and
priorities for reducing security risk and developing technology
roadmaps.

2. Identify, Classify and Prioritize Assets. Working closely with key
stakeholders, you’re now ready to define sets of assets and classify
them by business impact, risk, function, and regulatory requirements.
This classification is used to define security control capabilities
and to help set priorities through clearly defined criteria. As
examples, if a hospital considers radiology gear as a critical asset,
then those devices should be identified and grouped with like devices.
An insurance provider may consider all business services equally
critical and group them together, but its corporate services may vary
in criticality based on the impact on revenue-generating activities or
compliance.

3. Gain Visibility to Support and Augment the Strategy. To validate
your work from step two, you need visibility into actual traffic and
devices to ensure you haven’t missed anything. This process includes
considering the types of traffic of interest (North, South, East and
West), all physical and virtual devices collecting traffic, where to
gather data (WAN edge, Access Layer, Cloud), the best sources of data,
and an analytics platform to monitor, analyze, and report on the
information. With the right tools and processes you can identify
actual devices within a segment and trusts or policy with other
segments. This allows you to discover unknown devices and traffic
patterns and is crucial in understanding if, how, and where you might
need to adjust your strategy based on what is actually happening
within your environment.

You’ve now done the critical work to develop a segmentation strategy
that matches your needs. In part two of this article, I’ll discuss the
final three steps which focus on implementation and ongoing operation
of your segmentation program. Specifically, I’ll review how to
develop, validate, and enforce policies that are as dynamic as your
environment to enable effective protection for your critical assets.