Network Segmentation and Its Unintended Complexity

By Kevin Beaver, Guest Blogger, Lancope

Look at the big security regulations, i.e. PCI DSS, and any of the long-standing security principles and you’ll see that network segmentation plays a critical role in how we manage information risks today. The premise is simple: you determine where your sensitive information and systems are located, you segment them off onto an area of the network that only those with a business need can access and everything stays in check. Or does it?

When you get down to specific implementations and business needs, that’s where complexity comes into the picture. For instance, it may be possible to segment off critical parts of the network on paper but when you consider variables such as protocols in use, web services links, remote access connections and the like, you inevitably come across distinct openings in what was considered to be a truly cordoned-off environment.

I see this all the time in my work performing security assessments. The network diagram shows one thing yet the vulnerability scanners and manual analysis paint a different picture. Digging in further and simply asking questions such as the following highlight what’s really going on:

• How are servers, databases and applications designed to communicate with one another?
• Who can really access the segmented environment? How does that access take place?
• What areas of the original system had to be changed to accommodate a technical or business need?
• What information is being gathered across the network segment in terms of network and security analytics and what is that information really telling us?
• What else are we forgetting?

Getting all of the key players involved such as database administrators, network architects, developers and even outside vendors that support systems running in these network segment(s) and asking questions such as these will often reveal what’s really going on beyond what’s documented or what’s assumed. This is not a terrible situation in and of itself. The systems need to work the way they need to work and business needs to get done. However, this exercise highlights a new level of network complexity that was otherwise unknown – or at least unacknowledged.

This leads me to my final point that’s obvious yet needs to be repeated: complexity and security don’t go well together. It’s a direct relationship – the more complexity that exists in your network environment, the more out of control you’re going to be. I’m confident that if we looked at the root causes of most of the known security breaches uncovered by reports such as the Cisco 2015 Annual Security Report and publicized on websites such as the Privacy Rights Clearinghouse Chronology of Data Breaches, we’d see that network complexity was instrumental in facilitating those incidents.

Putting aside politics, lack of budget and all the other common barriers to an effective information security program, you cannot secure what you don’t acknowledge. If vulnerabilities exist in your network segmentation, threats will surely come along and find a way to take advantage. It’s your job to figure out where the weaknesses are among the complexity of your network segmentation so you can minimize the impact of any attempted exploits moving forward. Otherwise, regardless of the levels of security visibility and analytics you might have, your systems will remain fair game for attack.

Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC.