Using segmentation requires thinking about cybersecurity in a way almost completely opposite of tradition.
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys
Over the past several months, I have been asked to review cutting-edge technologies that could be used to help defend networks against modern threats. Last time, I focused on how automation might be able to protect government if deployed correctly. Today, I want to explore segmentation, an interesting technology, and also a concept, which might have the power to redraw federal cybersecurity perimeters.
The federal government was instrumental in helping to define the concept of a security perimeter. Back in the days when government networks were mostly accessed by desktop systems sitting inside the agencies themselves, treating cybersecurity like physical security made a lot of sense, and worked quite well.
Authorized users could identify themselves and their client machine to gain access to network resources. Bad guys were kept on the other side of the security perimeter, and any remote access was tightly controlled and monitored. It’s what made movies like “Sneakers” so exciting, because to breach a network also required a caper to physically break in and seize a valid access point.
As you all know, perimeter security no longer works. Mobility put a serious dent in it by allowing users to access networks first on their notebooks and later with phones and tablets. That made remote access more popular and efficient than forcing everyone into an office. And cloud was the deathblow when even the applications and data moved offsite.
Now, you have thousands of users from everywhere in the world accessing applications that are also stored almost anywhere in the world. All federal networks still collect credentials and monitor for suspicious activity, but there is no longer a perimeter. That gives attackers a lot of room to maneuver, which is one reason why there have been so many successful attacks lately.
Segmentation could be a way to put the perimeter back in place, at least for the most important network resources and assets. You can achieve segmentation using most of the latest “next generation” type firewalls, and several companies are starting to offer it as a standalone product or service.
Using segmentation requires thinking about cybersecurity in a way almost completely opposite of tradition. Instead of scanning for anomalous or suspicious processes, security teams instead define, in very precise terms, all the valid users and processes required to accomplish tasks on a network. Those are allowed, and everything else is restricted.
Most traditional cybersecurity is conducted in the same way police try identify drunk drivers. They cruise around looking for suspicious behaviors like cars weaving out of their lane or running traffic lights. They then pull the car over and subject the drivers to a series of tests to determine if they are driving illegally. The system assumes everyone can be out on the road doing whatever they choose so long as they are sober and obeying traffic laws.
In a segmented system, each driver’s access to roads would be tightly controlled by factors like time, valid tasks and sobriety. No scanning would be necessary because only valid, sober drivers would ever be on the road.
Ture segmentation is very granular. A user might need to use FTP to query a database as part of their work. That does not mean FTP must be authorized as a protocol for the whole network, only that a specific person can use FTP for that single task. It also doesn’t authorize them to use FTP to do anything else, like querying a different database or using it to pull files from other protected areas.
With very tight controls, even if users have their credentials compromised, the damage is going to be minimized because the attackers are still going to be limited by those core rules defining what they can do with the segmented network. They also might get quickly caught when they try to accomplish anything other than authorized processes.
The key to good segmentation is taking time to learn all the valid ways users do their work, which normally requires a fairly long learning process. Administrators then use the next generation firewall or segmentation program to authorize those very specific uses, while a blanket policy covers everything else.
The great thing about segmentation security is that when alerts pop up about someone breaking policy, there is no need to rush. The invalid process was not allowed, so there is no danger to the network. At worst, you have an authorized user waiting around for permission to continue their work, perhaps because it’s a new task, or perhaps because it was missed in the learning phase of deployment.
The disadvantages to segmentation are obvious. It drastically restricts how networks can be used. Also, for very large enterprises, defining all valid users, applications and protocols, plus how they interact, would be almost impossible. As such, segmentation can almost never be deployed networkwide. Instead, it should be used to redraw the perimeter around core assets fewer users need to access—segmenting them away from the rest of the network.
With segmentation technology, the federal perimeter can be at least partially redrawn. It’s a much smaller perimeter, and exists deep inside the enterprise, but the protection it offers for core assets is as impressive as the classic perimeter security was in its day, and probably even more effective.