What is Network Segmentation?
Organizations are under constant attack, and, despite investing heavily in an array of cyber defenses, they are still falling victim to breaches. According to the Risk Based Security 2019 Year End Report Data Breach QuickView, last year was another “worst year on record” in terms of data breach activity, with 7,098 breaches resulting in the exposure of more than 15.1 billion records.
Many security measures fall into the “reactive” category, meaning that IT and security teams investigate when a device or network has become compromised and mitigate any fallout from the attack. But reactive security measures are cumbersome and costly, requiring teams to do continuous damage control. They can also lead to severe consequences, from regulatory noncompliance to public relations nightmares.
Instead of reacting to attacks, many organizations adopt proactive schemes designed to prevent attacks, anticipating any potential risks or vulnerabilities, and fixing them before they can be exploited. In addition to stacks of security hardware in the data center or the deployment of security delivered as a service, organizations employ a variety of techniques that reduce their risk, and one such method that is widely used is network segmentation.
How does network segmentation work?
Network segmentation is the process of dividing a network into multiple zones and applying security protocols to each zone to manage security and compliance. Typically, it involves segregating traffic between the network segments using virtual local area networks (VLANs), after which security is applied via firewalls to protect applications and data.
Network segmentation (not to be confused with microsegmentation) has been promoted as a solution that provides security without degrading performance, as it allows for policy creation and maintenance of different segments of the networks. But in today’s world of complicated networks distributed across multiple clouds and data centers, this approach may no longer make sense.
Challenges with network segmentation
Excessive trust: Network segmentation is based on the assumption that everyone within the network is trustworthy. Because it is designed primarily to prevent attacks from outside, this approach can make organizations vulnerable to insider attacks.
Complexity: Network segmentation requires an organization to know and understand all of the assets communicating on each of their networks. Next, they have to define the zones that would make sense based on business and compliance needs. Then they have to begin the actual work of implementing VLANs. The potential for misconfiguring a VLAN during implementation is high due to the complexity of today’s network architectures, especially with most organizations using multicloud environments that organizations do not own—and they often cannot alter the infrastructure on which the network is administered.
Management: In a modern networking environment, addresses change continually, users connect with multiple devices using a variety of networks, and new applications are introduced constantly. Such dynamic environments create a management nightmare with ongoing manual policy definition, review, change, and exception handling. Furthermore, every change in policy requires an upgrade to all firewall rules, and the nature of network segmentation requires the deployment of additional resources for even mundane security activities such as vulnerability scanning.
Controls: Network segmentation lacks fine-grained controls, so it’s complicated to segment access for various levels, such as remote workers, contingent workers, partners, and so on.
Scalability: For handling network growth, network segmentation requires organizations to create smaller segments or upgrade their existing segments, resulting in higher costs to scale and maintain.
Performance: Adding resources, including multiple firewalls, to a network has an adverse effect on overall performance.
A better way than to segment
Zero trust network access (ZTNA) is a framework defined by Gartner based on the assumption of zero trust, which means that no device is inherently trusted, and access is granted based on privileges defined by policies.
Instead of a network-centric approach to security, which is becoming increasingly impractical in the cloud world, ZTNA takes a user-to-application approach. It enables application access without network access, using native application segmentation to ensure that once users are authorized, application access is granted on a one-to-one basis. Authorized users have access only to specific applications rather than full access to the network, providing much more granular control and no risk of lateral movement.
Advantages of ZTNA over network segmentation
- ZTNA provides adaptive, identity-aware, precision access without network access. It removes network location as a position of advantage and eliminates excessive implicit trust, replacing it with explicit identity-based trust.
- ZTNA requires no network connection, so there is no exposure of internal applications (IP addresses) to the internet, reducing the risk of attack.
- Instead of configuring access rules and firewall rules, granular access policies enforced in the cloud provide user-to-app-level segmentation.
- ZTNA can be delivered as a cloud service and, in some cases, can be extended as software on-premises (managed by service). Cloud delivery improves flexibility, agility, and scalability, and reduces the need for internal firewall appliances.
- Organizations rely on ZTNA to allow unmanaged devices and external partners to securely access applications while minimizing the threat of malware spreading by keeping users off the network.