Why Network Segmentation Matters

When IT leaders hear about segmentation, their first thought is usually about dividing a network up using VLANs or VXLANs. But segmentation also plays a critical security role in securing dynamic multi-cloud environments, IoT and BYOD strategies, and automated workflows in today’s highly distributed environments.

Digital Innovation is disrupting enterprise organizations, adding new networks such as dynamic multi-cloud to enable new services and business opportunities. However, these new environments also create increased risk. The explosive adoption of IoT and mobile devices, as well as applications and services from multiple clouds, are pushing the attack surface beyond the traditional network boundaries. And because workflows, applications, and transactions have to span all of these new environments, traditional network-based segmentation strategies stop at the edge of each network environment without putting cumbersome and complex solutions in place.

This is especially challenging as things like IoT devices gather information that needs to be shared to cloud-based data centers, or if remotely located devices need to communicate with each other over the network. And at the same time, this expanding and fragmented attack surface is also undermining the ability of network teams to maintain things like network performance, security, reliability, and availability inside their expanding network perimeters.

Open, flat networks put organizations at unnecessary risk

To accommodate this need for interoperability and communication between devices, organizations leverage flat, open networks to accelerate transactions, applications, and workflows. And a growing number of these networks are being built around high-performance routing and switching infrastructure that don’t include security due to the performance limitations of most security solutions.

From a security perspective, this can be disastrous. Breaching the network perimeter of a flat network allows hackers to establish a beachhead and then move laterally across the network to gain access to credentials, resources, and data. More, the lack of a security infrastructure within the internal network also significantly limits the organization’s visibility into suspicious traffic behaviors and data flows, which further hinders the ability to detect a breach. It’s the reason why the average mean time to identify a threat in today’s networks is 197 days, with another 69 days required to contain and eliminate it. And for small to medium-sized businesses that have fewer security resources available, the problem is even worse, with dwell times exceeding two years.

The value of internal segmentation

To regain control over their burgeoning networks, network leaders can implement internal segmentation to efficiently translate business goals into the “where,” “how,” and “what” of security segmentation: “Where” establishes the points of segment demarcation and the logic used to segment IT assets, “How” implements business goals with fine-grained access control and maintains it using continuous, adaptive trust, and “What” enforces access control by applying high-performance advanced (Layer 7) security across the network.

These three elements operate within the context of an integrated fabric of security components that connect to and communicate with other network and infrastructure devices. Macro- and micro-segmentation architectures can also be applied, as well as application-, process-, and endpoint-level segmentation, to create smaller, more manageable attack surfaces.

NAC solutions can then identify and categorize every device accessing the network to establish and maintain device visibility. Authenticated devices can be automatically assigned to specific network segments based on context such as the kind of device and the role of the user assigned to it. And once devices have been assigned to specific network segments, automated workflow security can create horizontal segments to secure communications and transactions between individual or groups of devices, including those that span different network environments.

This way, network leaders can effectively improve their security posture, mitigate risks, and support compliance and operational efficiency across the enterprise without altering their network architectures.

Internal segmentation requires extreme performance

However, because security solutions struggle to meet the performance requirements of today’s internal network traffic, internal segmentation can undermine the digital innovation that organizations rely on to compete effectively in today’s marketplace. Applications need to deliver business-critical services at breakneck speeds, IoT devices are generating unprecedented volumes of data that need to be collected and processed in cloud-based data centers, and compute-intensive processing relies on hyperscale architectures that can move massive amounts of data in enormous elephant flows for things like advanced rendering and modeling projects.

As a result, yesterday’s security performance is no longer adequate for securing and enabling enterprises at the pace of today’s business innovation. For a majority of enterprises, today’s unprecedented infrastructure performance requirements cannot be matched using traditional security platforms built with off-the-shelf CPUs and non-integrated security components. As a result, attempting to secure the infrastructure using dynamic segmentation becomes an infrastructure bottleneck, resulting in degraded user and application experience. As a result, internal network security is being reduced to Virtual LANs and Layer 4 access lists, which are wholly inadequate for fending off today’s sophisticated threats and determined cybercriminals.  

However, security does not have to slow down the network. Instead, like the high-speed hardware being developed by companies such as Apple, Microsoft, Google, and Amazon to power their advanced devices and infrastructures, security platforms will need a new generation of processors to meet growing network performance demands. These platforms will also need to be designed to seamlessly integrate into any environment in any form factor, while maintaining consistent security visibility and policy enforcement between platforms.

In addition, performance-enhanced security platforms can provide hardware-accelerated Virtual Extension LANs (VXLAN) with massively scalable and adaptable internal segmentation, enabling super-fast communication between enormously scaled services, such as compute, storage, and applications that are co-hosted on physical and virtual platforms. This allows organizations that leverage a highly scalable virtual services architecture to launch services and applications in the most agile fashion possible to increase productivity and revenue opportunities while maintaining critical security inspection and protection.

Internal segmentation needs to support automated workflows and open ecosystems

Security platforms also need to support automated workflows to ensure that everything from access to transactions are automatically secured. Devices that need to communicate with each other across a network shouldn’t need special configurations that secure and segment their interaction. Instead, business policies should automatically trigger a secure workflow to protect that interaction. In addition, these platforms should include open standards and APIs to easily integrate with third-party solutions to ensure end-to-end segmentation.

This can also be applied to access. For example, a laptop with a virus should automatically communicate with an access point to prevent the laptop from joining the network, and the security platform should then automatically redirect it to a quarantined network segment. A unified platform enables automated workflows that can solve the challenge of interoperability that a security architecture built using isolated, multi-vendor deployments is unable to address.

Performance and protection should never be an either/or decision

Implementing an internal network segmentation strategy using security devices designed specifically for today’s performance requirements and distributed resource architectures is essential for ensuring that business objectives don’t expose your organization to unnecessary and serious risk. Due diligence and compliance requirements that seem at odds with traditional security devices need to be reconsidered in light of the power and performance being made available by today’s next-generation security platforms.

Click here for more information about the new FortiGate 1800F and here for more information about the next-generation Fortinet NP7 processor. The combination offers unprecedented performance and FortiGate’s wide range of market-leading security solutions and service.