Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.

Infrastructure Operations icon

Network Segmentation

Protect your network by controlling the conversations within it.

  • Many legacy networks were built for full connectivity and overlooked potential security ramifications.
  • Malware, ransomware, and bad actors are proliferating. It is not a matter of if you will be compromised but how can the damage be minimized.
  • Cyber insurance will detective control, not a preventative one. Prerequisite audits will look for appropriate segmentation.

Our Advice

Critical Insight

  • Lateral movement amplifies damage. Contain movement within the network through segmentation.
  • Good segmentation is a balance between security and manageability. If solutions are too complex, they won’t be updated or maintained.
  • Network services and users change over time, so must your segmentation strategy. Networks are not static; your segmentation must maintain pace.

Impact and Result

  • Create a common understanding of what is to be built, for whom, and why.
  • Define what services will be offered and how they will be governed.
  • Understand which assets that you already have can jump start the project.

Network Segmentation Research & Tools

1. Network Segmentation Deck – A deck to help you minimize risk by controlling traffic flows within the network.

Map out appropriate network segmentation to minimize risk in your network.


Network Segmentation

Protect your network by controlling the conversations within it.

Executive Summary

Info-Tech Insight

Lateral movement amplifies damage

From a security perspective, bad actors often use the tactic of “land and expand.” Once a network is breached, if east/west or lateral movement is not restricted, an attacker can spread quickly within a network from a small compromise.

Good segmentation is a balance between security and manageability

The ease of management in a network is usually inversely proportional to the amount of segmentation in that network. Highly segmented networks have a lot of potential complications and management overhead. In practice, this often leads to administrators being confused or implementing shortcuts that circumvent the very security that was intended with the segmentation in the first place.

Network services and users change over time, so must your segmentation strategy

Network segmentation projects should not be viewed as singular or “one and done.” Services and users on a network are constantly evolving; the network segmentation strategy must adapt with these changes. Be sure to monitor and audit segmentation deployments and change or update them as required to maintain a proper risk posture.

Executive Summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

Networks are meant to facilitate communication, and when devices on a network cannot communicate, it is generally seen as an issue. The simplest answer to this is to design flat, permissive networks. With the proliferation of malware, ransomware, and advanced persistent threats (ATPs) a flat or permissive network is an invitation for bad actors to deliver more damage at an increased pace.

Cyber insurance may be viewed as a simpler mitigation than network reconfiguration or redesign, but this is not a preventative solution, and the audits done before policies are issued will flag flat networks as a concern.

Network segmentation is not a “bolt on” fix. To properly implement a minimum viable product for segmentation you must, at a minimum:

  • Understand the endpoints and their appropriate traffic flows.
  • Understand the technologies available to implement segmentation.

Implementing appropriate segmentation often involves elements of (if not a full) network redesign.

To ensure the best results in a timely fashion, Info-Tech recommends a methodology that consists of:

  • Understand the network (or subset thereof) and prioritizing segmentation based on risk.
  • Align the appropriate segmentation methodology for each surfaced segment to be addressed.
  • Monitor the segmented environment for compliance and design efficacy, adding to and modifying existing as required.

Info-Tech Insight

The aim of networking is communication, but unfettered communication can be a liability. Appropriate segmentation in networks, blocking communications where they are not required or desired, restricts lateral movement within the network, allowing for better risk mitigation and management.

Network segmentation

Compartmentalization of risk:

Segmentation is the practice of compartmentalizing network traffic for the purposes of mitigating or reducing risk. Segmentation methodologies can generally be grouped into three broad categories:

1. Physical Segmentation

The most common implementation of physical segmentation is to build parallel networks with separate hardware for each network segment. This is sometimes referred to as “air gapping.”

2. Static Virtual Segmentation

Static virtual segmentation is the configuration practice of using technologies such as virtual LANs (VLANs) to assign ports or connections statically to a network segment.

3. Dynamic Virtual Segmentation

Dynamic virtual segmentation assigns a connection to a network segment based on the device or user of the connection. This can be done through such means as software defined networking (SDN), 802.1x, or traffic inspection and profiling.

Common triggers for network segmentation projects

1. Remediate Audit Findings

Many security audits (potentially required for or affecting premiums of cyber insurance) will highlight the potential issues of non-segmented networks.

2. Protect Vulnerable Technology Assets

Whether separating IT and OT or segmenting off IoT/IIoT devices, keeping vulnerable assets separated from potential attack vectors is good practice.

3. Minimize Potential for Lateral Movement

Any organization that has experienced a cyber attack will realize the value in segmenting the network to slow a bad actor’s movement through technology assets.

How do you execute on network segmentation?

The image contains a screenshot of the network segmentation process. The process includes: identify risk, design segmentation, and operate and optimize.

Network Segmentation preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Author

Scott Young

Search Code: 100537
Last Revised: February 13, 2023

Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019