Take a Strategic Approach to Security Segmentation

Start Planning for Segmentation

Written by Pavan Reddy, Cisco Security Principal, and first published at http://blogs.cisco.com/security/cisco-security-segmentation-service

You’ve read the stats: by the end of the decade, the Internet of Everything will result in 50 billion networked connections of people, process data and things. You don’t need to look far to see it come to life in your own organization. With increased digitization comes an exploding number of devices and applications gaining access to your network, creating more data to secure and new attack vectors for malicious actors to exploit.

At the same time, you are increasingly required to demonstrate to organization stakeholders and board members what you’re doing to protect your organization from pervasive, innovative cyber threats. In this year’s Cisco Annual Security Report, 92% of the respondents agreed that regulators and investors will expect companies to provide more information on cybersecurity risk exposure in the future. Business leaders are also anticipating that investors and regulators will ask tougher questions about security processes, just as they ask questions about other business functions.

Already you may be required to meet audit requirements for protecting and isolating sensitive and personally identifiable information, like Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA). Or your organization may be pursuing a business strategy that requires an increased numbers of suppliers, partners and third parties to access your networks. What is your plan to ensure only those with the right credentials and identity can have access to the right assets and at the right time?

Cisco's Security Advisory Services experts have worked with many customers who have employed network segmentation approaches as a way to address these questions. But, those approaches are inadequate because their security policies are flat – they expose their organizations companies to risk, for example when production and non-production, as well as sensitive and non-sensitive data, are mixed. Or they’ve created overly complex segmentation schemes that complicate audit and compliance processes. At the same time, data and systems need to be available to carry out the work of the organization. A different, more strategic approach is needed.

Fortunately, next generation technology like Cisco Identity Services Engine (ISE), TrustSec and new fully integrated Cisco Firepower NGFW exist today to implement flexible security controls in your network. You can build a network segmentation strategy that isolates environments and critical systems from other areas of the network and makes it harder for threat actors to take advantage of weaknesses in the infrastructure. You can now combine the tools and technology with your processes and priorities to create a strategic segmentation framework that will support your business objectives.

To help you build out this strategic framework, Cisco has introduced a new Security Segmentation Service, an Advisory Service within the Cisco Security Services portfolio. This service provides a strategic infrastructure segmentation approach for clients that allows organizations to reduce risk, simplify their audit profile, protect data, and achieve a defensible position for board-level requirements in a hyper-connected and complex environment.

Security Segmentation Service:

  • Is customer specific. Cisco will work with you to develop a model that takes into consideration your specific privacy, security, and business needs.
  • Extends beyond the network. The service blends a top-down-driven information security management system with an adaptable, metrics-based framework. Cisco looks at your entire network architecture, plus much more: for instance, your application data flows, any cloud services you’re using, your HR policies for access to critical data and assets, and your intellectual property. We help you apply differentiated controls over different systems and data.
  • Incorporates reusable design patterns. Cisco develops a design you can reuse as your business changes, so you get sustainable and measurable results.
cisco segmentation
Even if you have policies in place that provide guidance and security around protecting critical assets and data, we often find that users who have changed job roles have increasingly greater access to systems and data than needed, and terminated users still
have credentials for many systems. Inconsistency in classification of users, data, and systems results in pivot points where attackers can access data and systems with high business value.

The purpose of segmentation is to simplify the application of security by using a centralized management point. Once this process is in place, it reduces complexity and requires very little maintenance.


To learn more about how Cisco Security Services can help you uncover new ways to think about securing your business as you take advantage of an array of emerging business models, follow the above link.