Improving Campus Cybersecurity with Segmentation
Deep partitioning to better isolate public and private network access is emerging as a viable cybersecurity strategy. Here’s how segmentation can help your campus.
Monitoring traffic and implementing policies to maintain a consistent security posture is a challenge for campus security teams.
With networks growing larger and more complex, lower operating costs are realized by using proven service models such as software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).
In concert with proliferation of the as-a-service model, endpoint protection tools came to be considered all but bulletproof by industry, government and leading cybersecurity firms to mitigate security risks within their organizations.
However, many hard lessons have been learned when attackers were able to bypass endpoint protection through stealthily crafted malware.
Let’s take a closer look at these developments, how they affect electronic security relative to cybersecurity and delve into a new emerging approach to hardening networks known as microsegmentation.
It’s the End of the Road for VPN
As Virtual Private Networks and VPN client software became the de facto method for accessing protected information resources, browser-based encryption and Transport Layer Security (TLS) evolved in its ability to isolate traffic directly from the device to the remote computing environment.
Because the perimeter itself is no longer clearly defined, and applications and data stores are located both on premises and in the Cloud, users gain access over WiFi, mobile devices and web clients using browsers and downloadable applications from multiple devices and locations.
The sobering truth is that there are no silver bullets to protecting systems and networks from the adversary. The most adaptive method of protecting information assets and data always migrates back to the fact that there is no replacement for a multilayered, in-depth defense strategy.
The primary questions you should ask are:
- What are the best tools and strategies we can deploy that are cost effective and meet our needs?
- How can we make sure that we deploy the tools correctly to avoid misconfiguration?
- How can we mitigate unauthorized access to protected information and data?
The current buzzword in the security industry is around Zero-Trust networks. The Zero-Trust model is in response to the realization that the perimeter security approach is not working. Many data breaches happen because hackers have gotten past corporate firewalls and were able to pivot to other internal systems without much resistance.
The Zero-Trust architecture refers to security concepts and threat models that no longer assume that actors, systems or services operating from within the security perimeter should be automatically trusted. Instead, everything trying to connect to those systems must be verified before access is granted.
There are many benefits to Zero Trust, such as the ability to have granular access to logging and audit records of transactions. This technique’s proactive monitoring of user and network activity is capable of identifying unusual behavior and threats to the systems or network.
The core challenge of Zero Trust is locking down access to multiple applications and systems without bringing productivity to a grinding halt. People require seamless access to protected data to work, communicate, collaborate, process, transmit and store information.
Another challenge to Zero-Trust networks is the high administrative costs and misconfigurations that limit availability and deny access for authorized users. To better grasp how Zero Trust works and its inherent drawbacks, imagine entering a house where each family member has a separate key and every door is locked, and you needed a separate key for each door.
You would need to carry the keychain around with you everywhere you went, which would be a hassle for sure. Tying it back conceptually to a network, this method results in processing and computing overhead that debilitates performance and productivity.
The New World of Microsegmentation
After extensive and exhaustive research, a logical conclusion has become apparent. One of the best tools to secure a network as part of a layered in-depth defense strategy is by deploying an application-centered, microsegmented network.
Microsegmentation (microseg) can be the answer to most organizations’ cybersecurity challenges. Microsegmentation is defined as: A security technique that enables fine-grained access control policies to be assigned to individual application processes. As a result, if breaches occur, microsegmentation limits potential lateral exploration of networks by hackers and better attack resistance achieved.
A software-defined microseg framework allows security teams to gain deep visibility, get granular down to the host level segmentation and enforce policies that could follow work loads across distributed and dynamic environments. This would enable consistent, proactive defense against advanced cyberthreats faced by organizations today. Microseg aids networking by creating “zones” for security within a defined perimeter (whether local, within one datacenter or across multiple datacenters).
By attaching fine-grained security policies to individual system boundaries, microseg limits an attacker’s ability to move laterally by protecting data (similar to assets stored in a safe deposit box at a bank) even after infiltrating perimeter defenses. Microseg can eliminate server-to-server threats within the data repositories, securely isolate networks from each other and reduce the total attack surface of a network security incident.
The benefit of microseg enables the IT industry to deploy different security policies inside the datacenter with the help of network virtualization technology.
Microseg can mitigate and reduce potential misconfiguration of information assets and boundaries using virtualization and partitioning of data at the network traffic layer and create virtual “express lanes” for high bandwidth and workloads such as video or collaboration servers.
It can also create isolated “data jails” for sensitive intellectual property requirements. That information is then only accessible to limited users and applications where high encryption and data loss prevention tools protect against insider threats, corporate espionage, ransomware and sophisticated nation-state stealth attacks.
An Alliance for Compliance
Lessons learned from thousands of cybersecurity and product assessments ranging from retail boutique applications to classified national defense applications support the assertion that deploying a microseg strategy within an organization’s IT infrastructure will increase its ability to achieve cybersecurity compliance.
One example is the U.S. Department of Defense Cybersecurity Maturity Model Certification (CMMC). The CMMC has five levels of compartmentalized security control baselines across 17 domains that must be met to achieve a specific level of certification.
Microseg applies granular access that is auditable within a specific boundary (publicly accessible systems without the requirement for multifactor authentication) to advanced and progressive boundaries that contain controlled and unclassified information (CUI) and personally identifiable information (PII).
Administrative controls can be managed within compartmentalized domains and separated according to privileges and access levels. The benefits of using this strategy is to lower cost and the resources required to protect network segments that do not require extensive security controls.
The development and production environment within an organization is another example of microseg. If a company develops software that must be tested by third-parties that exist outside of an organization, it is possible to isolate traffic specific to the training requirements of users that need to be streamlined.
The Road to Cybersecurity’s Future?
While there are compelling reasons to have confidence in Zero Trust, network microseg offers substantial benefits. A strong case could be made to adopt this technique as part of the defensive in-depth strategy for most regulated industries and high-risk IT environments that collect, process, store and transmit personally identifiable information or other sensitive data.
It is possible to conclude that an after-action review of emerging stealth and collateral damage of recent cyber-attacks (e.g. the Solar Winds attack that compromised more than 18,000 government and public corporate networks) that microseg would have exponentially limited the impact of the attack.
Microseg can effectively mitigate distributed denial of service (DDoS) attacks by shutting down lower priority services and applications, allocating optimized traffic to mission-critical applications during periods of degraded performance.
Microseg increases the speed of forensics and analysis of incidents by limiting the size of the collection of syslogs and analyzes anomalies that could potentially be identified as cyber threats.
Auditability of smaller data sets used for audit and compliance assessments are welcomed by most cybersecurity professionals burdened with “data deluge” and are “data drunk” due to the massive amounts of information to be reviewed.
More importantly, the path to the future of cybersecurity will likely involve using microseg, a next-generation technology with the ability to have granular definition of network boundaries. This can include defining development, research, production and segment industrial controls and IoT systems to levels never attainable using legacy “as a service” applications, while also improving on current industry best practices as Zero-Trust networks.