We all strive to create 100% secure network but if the bad guys want to get in they’re going to. Simple as that. In the mean time there’s no point in creating a single point of failure architecture. Nimmy Reichenberg takes a look at “zoning” and how this can be an effective control to mitigate risk and hamper the bad guys if they do penetrate your network.
By properly segregating the network, you are essentially minimizing the level of access to sensitive information for those applications, servers, and people who dont need it, while enabling access for those that do. Meanwhile youre making it much more difficult for a cyber-attacker to locate and gain access to your organizations most sensitive information.
Regulatory Guidance and Best Practices
Standards such as PCI-DSS provide guidance on creating clear separation of data within the network in the case of PCI, cardholder data should be isolated from the rest of the network, which contains less sensitive information. An example would be to ensure that Point-of-Sale (PoS) systems and databases are completely separated from areas of the network where third parties have access. In this example a PCI Zone would be created with stringent constraints allowing connectivity for as few servers and applications as possible.
Routes to Achieve Proper Segmentation
Firewall and VLANs provide a route to partition the network into smaller zones, assuming you have defined and are enforcing a ruleset which controls the communication paths. A sound security policy entails segmenting the network into multiple zones with varying security requirements and enforcing a rigorous policy of what is allowed to move from zone to zone. Anything designated in the PCI zone, for example, should be isolated from the rest of the network as much as possible without impacting the overall business.
Here are a few, but not an exhaustive list of tips to consider:
Implement controls at multiple layers within the network architecture. The more layers you can add at each level (e.g. data, application, etc.), the harder it is for a cybercriminal to gain unauthorized access to sensitive information. Of course this has to be manageable from an operations standpoint and it cant be to the point where business processes come to a grinding halt.
Apply the rule of least privileged. For example, a third party vendor may need access to your network, but they most likely dont need access to certain information. Access should only be provided to the user or system that is absolutely needed and nothing else.