Could Segmentation Restore the Federal Cybersecurity Perimeter?

=

= Pasko Maksim/Shutterstock.com

Using segmentation requires thinking about cybersecurity in a way almost completely opposite of tradition.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

Over the past several months, I have been asked to review cutting-edge technologies that could be used to help defend networks against modern threats. Last time, I focused on how automation might be able to protect government if deployed correctly. Today, I want to explore segmentation, an interesting technology, and also a concept, which might have the power to redraw federal cybersecurity perimeters.

The federal government was instrumental in helping to define the concept of a security perimeter. Back in the days when government networks were mostly accessed by desktop systems sitting inside the agencies themselves, treating cybersecurity like physical security made a lot of sense, and worked quite well.

Authorized users could identify themselves and their client machine to gain access to network resources. Bad guys were kept on the other side of the security perimeter, and any remote access was tightly controlled and monitored. It’s what made movies like “Sneakers” so exciting, because to breach a network also required a caper to physically break in and seize a valid access point.

As you all know, perimeter security no longer works. Mobility put a serious dent in it by allowing users to access networks first on their notebooks and later with phones and tablets. That made remote access more popular and efficient than forcing everyone into an office. And cloud was the deathblow when even the applications and data moved offsite.

Now, you have thousands of users from everywhere in the world accessing applications that are also stored almost anywhere in the world. All federal networks still collect credentials and monitor for suspicious activity, but there is no longer a perimeter. That gives attackers a lot of room to maneuver, which is one reason why there have been so many successful attacks lately.

Segmentation could be a way to put the perimeter back in place, at least for the most important network resources and assets. You can achieve segmentation using most of the latest “next generation” type firewalls, and several companies are starting to offer it as a standalone product or service.

Using segmentation requires thinking about cybersecurity in a way almost completely opposite of tradition. Instead of scanning for anomalous or suspicious processes, security teams instead define, in very precise terms, all the valid users and processes required to accomplish tasks on a network. Those are allowed, and everything else is restricted.

Most traditional cybersecurity is conducted in the same way police try identify drunk drivers. They cruise around looking for suspicious behaviors like cars weaving out of their lane or running traffic lights. They then pull the car over and subject the drivers to a series of tests to determine if they are driving illegally. The system assumes everyone can be out on the road doing whatever they choose so long as they are sober and obeying traffic laws.

In a segmented system, each driver’s access to roads would be tightly controlled by factors like time, valid tasks and sobriety. No scanning would be necessary because only valid, sober drivers would ever be on the road.

Ture segmentation is very granular. A user might need to use FTP to query a database as part of their work. That does not mean FTP must be authorized as a protocol for the whole network, only that a specific person can use FTP for that single task. It also doesn’t authorize them to use FTP to do anything else, like querying a different database or using it to pull files from other protected areas.

With very tight controls, even if users have their credentials compromised, the damage is going to be minimized because the attackers are still going to be limited by those core rules defining what they can do with the segmented network. They also might get quickly caught when they try to accomplish anything other than authorized processes.

The key to good segmentation is taking time to learn all the valid ways users do their work, which normally requires a fairly long learning process. Administrators then use the next generation firewall or segmentation program to authorize those very specific uses, while a blanket policy covers everything else.

The great thing about segmentation security is that when alerts pop up about someone breaking policy, there is no need to rush. The invalid process was not allowed, so there is no danger to the network. At worst, you have an authorized user waiting around for permission to continue their work, perhaps because it’s a new task, or perhaps because it was missed in the learning phase of deployment.

The disadvantages to segmentation are obvious. It drastically restricts how networks can be used. Also, for very large enterprises, defining all valid users, applications and protocols, plus how they interact, would be almost impossible. As such, segmentation can almost never be deployed networkwide. Instead, it should be used to redraw the perimeter around core assets fewer users need to access—segmenting them away from the rest of the network.

With segmentation technology, the federal perimeter can be at least partially redrawn. It’s a much smaller perimeter, and exists deep inside the enterprise, but the protection it offers for core assets is as impressive as the classic perimeter security was in its day, and probably even more effective.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.