The “moat around the castle” defense is the tried-and-true way to handle computer network security, to keep cyber attackers out. “Flat” networks focus on providing reliable and fast connectivity for all devices on the network, while security efforts hone in on isolating external networks from internal networks.
This traditional approach, however, no longer works to secure the modern enterprise’s complex web of interconnected digitized networks, or the cyber attackers with their ever-evolving tricks — which has led to high-profile breaches like the recent WannaCry ransomware attack. Companies are moving data in and out of networks every second. Yet, while they move to a more mobile workforce to relocate IT services to the cloud, there is a blurring line between the enterprise network and the external network.
Instead, network segmentation, or splitting a network into subnetworks, is the best way to phase out outdated security approaches, says Fredrik Lindstrom, Manager CIO Advisory at KPMG. Unfortunately, it is also one of the most neglected parts of a cyber security program, because most organizations believe network segmentation is too complex and cumbersome. According to research commissioned by Avaya, although virtually all information technology professionals believe network segmentation is an essential security measure, less than one-quarter of organizations actually implement it.
“They don’t know where to start, how to do it, and what components are included,” Lindstrom explains. The organizations that try to implement network segmentation often fail, he adds, because it is such a huge undertaking.
For those who do it right, however, network segmentation can be well worth it. Its power lies with its ability to directly address the reality of today’s threat landscape—that you cannot prevent a cyber breach, but you can isolate one, so it only spreads to a couple of points rather than thousands getting infected.
According to a new KPMG paper, “A 10-Part Framework for Improving Security in the Modern Enterprise: The Network Segmentation Imperative,” proper network segmentation “lays the groundwork for controls which protect against lateral movement on the network by malicious software and actors, preventing a potential infection or compromise from spreading across the network. It also allows for additional control points across the network, which significantly increases visibility and control over traffic on the network.”
A framework for getting started with network segmentation
KPMG’s framework for network segmentation has 10 components, including creating a guiding strategy document; creating network architecture with segments and control points; defining requirements through IT asset management; implementing core security controls; and creating a comprehensive data classification program.
But with such a large undertaking, says Lindstrom, the most important organizational priority is to deal with the people involved — through change management — and to set the foundational pieces of the program such as asset management and data classification. “Once you have the foundational pieces, then you can have an overlay that spans from security to network to data centers — all those traditional IT teams,” says Lindstrom. By starting with small wins and not trying to “boil the ocean” in such a large program, he adds, organizations can move towards the last and final overlay that the most mature organizations implement for network segmentation — behavior-based protections.
The KPMG paper details a case study of a high-tech manufacturing company with a stitched-together network infrastructure due to organic growth and acquisition. It didn’t provide the required segmentation to protect significant R&D investments. Gaps were assessed and goals set, and a network segmentation strategy was broken down into smaller projects. The company addressed network security deficiencies across its global network and increased security, automation and operational efficiency to meet the company’s current needs.
Biggest challenges of network segmentation implementation
People and politics are often the biggest obstacles in implementing network segmentation, says Lindstrom. The project has to involve all aspects, from HR and legal, to IT asset management, security network and end-user computing. “All of these silos have to work together in order to properly implement the framework,” he says. “It’s not a bolt-on, it’s a change in how you approach networking in general.”
The most important way to get the organization to understand the network segmentation effort, he adds, is to map out how to reach success and how to change users’ behavior. That is, how to involve HR and legal appropriately, as well as how things work when the organization combines network segmentation with asset management integration.
In addition, most organizations make the mistake of over-relying on their vendor, who may not offer the most objective advice when it comes to going down the network segmentation journey. “The vendor will come in and say they are doing what’s best for the organization, but instead they tend to oversell and do not set that organization up for success,” says Lindstrom.
A long-term effort that offers big results
Network segmentation—which limits the damage of a breach—is arguably the best defense against the latest, sophisticated security threats. But for most companies, even the potential of a breach is not good enough to get them started. The road to network segmentation is often triggered by a significant breach that inspires the organization to take action.
Now, however, is truly the time to consider implementing network segmentation. It is a long-term effort that can take anywhere from three months to three years. But there are short-term wins to be had, says Lindstrom: “You can start segmenting,” he explains, “but you won’t get all the way without other components, such as a mature data classification program and IT asset management.”
It is all about breaking down silos, he adds. “It’s critical to start looking at segmentation and getting components isolated,” says Lindstrom. “Even if you just focus on the data center, whether on premise or cloud, that’s a huge step in right direction.”
To learn more about network segmentation and hear from our CIO advisors, please visit KPMG’s Real Insights for CIOs webpage.
 End-to-end Network Segmentation Research, August, 2016