Crunchy on the Outside, Soft and Chewy on the Inside
Modern approaches to cybersecurity are often heralded as revolutionary, brilliant ideas. But in reality, these modern approaches are simply the adaptations of effective security strategies and tactics from other industries or disciplines. Security is security.
For years, best practices in naval architecture have required compartmentation in ships, such that a breach of one compartment limits water infiltration from spreading into other compartments and the resultant loss of buoyancy of the vessel. Henry Ford implemented firewalls in the first automobiles to prevent the fires or other mechanical malfunctions in the engine compartment from impacting the safety of those in the passenger compartment. Quarantining the sick from the healthy has always been a strategy for preventing the spread of diseases. These widely accepted and effective security strategies have been implemented throughout almost all aspects of society; they’re considered common sense, yet their application in IT has been slow to catch on, especially when IT alone makes security decisions. The number of serious cyber incidents reported to the NJCCIC and disclosed in the media almost daily are evidence of this.
At the launch of the Internet, the goal was to connect computers across a decentralized network for the purpose of communicating and sharing resources. And, while some of the concepts regarding packet switching and redundant communications introduced by Paul Baran of Rand in his 1964 paper On Distributed Communications were included in the design of the Internet, security of the network and its systems wasn’t a focal point. As the Internet developed and organizations began implementing their own networks, perimeter controls designed to keep unauthorized persons from accessing the organization’s internal network were introduced. These perimeter controls became a mainstay in network design and information security practices. But like a ship that was not designed with watertight compartments, any breach of the perimeter network controls could lead to catastrophe for the organization.
For many organizations this flawed network security design, whereby the perimeter of the network is hardened but the internal network is not segmented or compartmented is still adhered to. Managing a “flat” or unsegmented network is much easier for an often-overtaxed IT department than managing a segmented network. And, unfortunately, the principle of least resistance (ease-of-management) often carries the day over the principle of least privilege (proper security). Thankfully, compliance regulations, such as the Payment Card Industry’s Data Security Standard (PCI-DSS) and other regulatory bodies, require certain businesses to segment networks. In the case of PCI-DSS, the intent is to segment the Cardholder Data Environment (CDE), such that a security incident in other parts of the business’ network would not spread to or impact the CDE. And so, many organizations in-scope for PCI-DSS have evolved from a flat network architecture to a compliant network architecture that earns them a Report on Compliance (ROC). Unfortunately, just doing enough to earn their ROC or other compliance certification is often as far along the security maturity spectrum as they’ll go. As we have seen with breaches impacting many organizations that have touted their compliance certifications, compliant does not equal secure.
Risk tolerance is unique to each organization, and the security afforded by being compliant with regulations may be acceptable; however, as we have seen over the past few years, compliance standards continue to evolve and become more stringent. The General Data Privacy Regulation (GDPR) regulations that went into effect in May of 2018 are evidence of this evolution. As such, organizations that only aspire to be compliant will spend countless more resources – time, effort, and money – bolting on security controls to an insecure design than they would if security was a requirement for any business process.
As most business processes will be implemented using information systems, network segmentation must be part and parcel of an organization’s defense-in-depth strategy for securing the information assets that support the business process. Network segmentation is relatively easy for new environments, but for legacy environments, it is much harder to accomplish and requires significant planning so as to not effect business operations.
There are plenty of approaches to network segmentation. Some organizations segment networks by business unit, others by physical location – even by floor within the building – and others by compliance requirements. In manufacturing environments, network segmentation may be done by product lines or functional sections on the plant floor. One of the most effective approaches is by business process, as even with segmentation by business unit, physical location, or product line, there may be business processes and their related endpoints that should isolated from others. Segmentation can be done either physically or virtually, but the result is essentially the same; you’re limiting communications throughout the network, thereby limiting a successful breach of one network segment from spreading to others.
At the extreme end of network segmentation are air-gapped systems or networks of systems that are physically isolated and have no network interfaces that would allow them to connect to other networks. Air-gapped networks are commonly deployed to protect highly sensitive information and systems, such as classified DOD networks and ICS/OT/SCADA systems, often found in critical infrastructure environments. More commonly, organizations will use Virtual Local Area Networks (VLAN) and subnets to logically segment networks. A VLAN is a broadcast domain or logical division within a network that uses switches to connect devices on network. Devices within a VLAN can communicate with each other without a Layer-3 switch or router to route the communications; devices in different VLANs will need a Layer-3 switch or router to communicate with each other. Subnets are simply a subset of IP addresses assigned to a set of devices. Typically, devices in the same VLAN are assigned IP addresses from the same subnet. Beyond security considerations, network segmentation achieved via VLANs can also help control bandwidth utilization and provide network performance gains.
While the technical details of network segmentation using VLANs or other technical approaches such as micro segmentation and zero-trust designs can be quite confusing to the lay person, the security concepts behind segmentation are common sense and applicable almost everywhere as a best practice. The application of these common-sense best practices, unfortunately, is not as common as they should be in IT environment. Impediments to their application include the insecurity that business people have when speaking with technologists that use IT jargon. This often happens when security for a business process is introduced at the technology stage. A simple fix is to introduce security at the conception of the business process, when the language spoken is understandable to all. If and when this becomes more common, we will have more secure organizations and less frequent, totally preventable catastrophes.