Imagine this scenario: you’re a healthcare organization and you need HVAC and refrigeration system repairs. You contract with a third-party for those repairs and shortly after beginning services, they tell you that they need credentials to access your public-facing web portal.
Unfortunately, what you didn’t know is that repair company has been compromised through a phishing attack. It’s given attackers key-logging capabilities. Before you know it, those attackers have stolen credentials and gained access to your web portal.
What happens next is the disaster no organization wants to deal with. The attacker, with authenticated access to your web portal, uses a variety of attack methods such as SQL injection. XSS, or Zero Day vulnerability exploits and make lateral movements from your backend database through your network, all the while escalating privileges and getting more access, all without your knowledge.
Once the attacker is inside your internal servers, they access your point-of-sale (POS) system and they scrape it to steal credit card information that they exfiltrate without your knowledge.
While this is an example, it’s a real-life scenario that an increasing number of healthcare covered entities and business associates face.
What could be the impact of such a breach for your organization? Well, as we’re seeing with similar attacks across the industry, the impact could be far reaching, for example:
- Your customer credit card data could be sold on the Dark Web.
- The credit cards can be used for fraudulent activities.
- Your organization faces a range of compliance audits and investigations, resulting in millions-and possibly billions-of dollars in fines and penalties, as well as remediation and recovery costs.
- Your brand and public image takes a huge hit and in one quarter, your revenue drops almost 50%.
- You lose existing customers and struggle to attract new ones because they don’t trust you can keep their personal health information (PHI) and other personally identifiable information (PII) safe.
- Cyber criminals get verification their attack methods work, and they continue their dubious work against unsuspecting organizations like yours.
So, what could you have done? How could you have prevented an attack like this from happening? How could you have stopped an attack from making these lateral movements across your network?
While there are a range of cybersecurity controls you could implement, one of the more effective ways to stop this type of movement is through network segmentation.
First, what is network segmentation?
Network segmentation is how you segment or divide your networks into smaller logical (virtual) or physical security zones.
Here’s a really simple way to look at network segmentation. Let’s say you and your friend want to get pizza for lunch. Your friend is a vegetarian, but you definitely want pepperoni on yours. You have a couple of options. For example, you can each buy your own pizza and keep them completely separate from one another, or you can divide the pizza in half-veggie toppings on one side, meat on the other.
The idea here is you each get what you want and need, without having pieces you don’t want to intermingle with each other.
Network segmentation is similar. If you don’t want some of your endpoints communicating with other endpoints across your environment, then you want to enable network segmentation so you can limit movement across your network. To do so, you implement virtual or physical controls that limit or prevent access through a variety of parameters.
There are several reasons why a healthcare organization might want to isolate its network virtually or physically. Here are some common examples:
- You need to segment or isolate clinical and administrative data and access.
- You need to segment or isolate data and systems depending on departments or functions to add more granular control of your networks. For example, you may want to prevent nursing staff devices from communicating with devices in the finance department or other similar scenarios.
- You permit bring your own devices (BYOD) for work functions
- You need to ensure and report on compliance such as HIPAA or PCI.
Network segmentation enables you to keep all of your data/systems/applications/etc. segmented within their own security zones so you can better maintain the confidentiality, integrity, and availability of PHI and other sensitive data.
Like the variety of reasons your organization may choose to implement network segmentation, it has a range of potential benefits. Here are some network segmentation benefits:
- Increased network performance by reducing unnecessary traffic broadcasts and keeping network traffic contained in identified zones
- Reduce ransomware/malware infection
- Limit lateral network movement
- Isolate regulated data types and prevent bleeding across different zones
While network segmentation pros far outweigh the cons, there are some drawbacks you should consider, such as:
- Maintenance requirements: If your organization isn’t utilizing next generation systems that automate tasks for you, such as access control management, maintenance can be burdensome.
- Deployment requirements: If you don’t have a centralized network where your assets are configured in similar ways, you can run into a variety of configurations where those assets don’t communicate well with one another or at all.
- Expenses: If your organization has a limited budget, it can be expensive to deploy network segmentation, especially if you haven’t performed segmentation in the past.
- Staff requirements: If you’re lacking time and skilled staff, network segmentation can be difficult to implement, especially to meet compliance requirements.
So, once your organization determines if network segmentation should be part of your organization’s security strategy, where do you begin? Here are a few tips to help you with your network segmentation planning and implementation strategies.
Step 1: Define the end-state
Think of this as backwards planning. Start with your end state and then plan backward. Some questions to consider:
- What’s reasonable?
- What’s appropriate for our organization?
- What is feasible?
- Does this make sense for our unique needs?
- What does the final product look like?
- What do we want to achieve with network segmentation?
As your team answers these questions, be sure to document your thoughts, including where your organization is going, complete with a project plan that clearly defines what that end state looks like.
Step 2: Determine current environment status
In this step, your organization should identify where you are at now, your current environment. This is your starting point. Some questions to consider:
- Have we implemented network segmentation in our current network?
- If yes, how do we accomplish it without reinventing the wheel?
Step 3: Understand organizational dependencies and scalability
Some questions to consider for this step:
- Which areas of our organization should be connected to one another?
- Which devices or systems should be able to talk to one another to continue operations as normal?
- Which traffic do you want to regulate?
- Which traffic needs segmentation?
- Why does this traffic need segmentation?
Tip: Add all of these dependencies into your project plan so you can plan accordingly.
Step 4: Thing big, start small
In this step, your goal is to break your total project in the smaller, more manageable phases. Be sure to focus on improving processes and learning from any issues discovered during previous phases.
Step 5: Implementation phase
This is the step where your team creates your security zones, routes, policies, etc. Documentation is key in this step. Some things to document:
- All the VLANs you create
- Different security zones
- Different incoming and outgoing traffic
- Create a network technology map
- Create a data flow diagram
Also, in your implementation phase, you should first develop a proof of concept to make sure you can implement your plan effectively. You want to ensure it works before actually deploying it. So with your proof of concept, be sure to test it well in advance.
Once you implement network segmentation, you may discover some things you didn’t already know about your network. For example, you may have systems that need to communicate with one another, which you didn’t previously know about.
Also, as you implement your network segmentation plan, you may discover you are actually over-segmenting to the point you have maintenance issues where it becomes too difficult to manage and maintain, creating new security risks for your organization. Your goal here is to segment your network as much as you can comfortably maintain over time, all the while allowing scalability and growth.
As you prepare to implement network segmentation, it may be helpful to think about some common network segmentation barriers so you can plan for ways to overcome them. Here are a few examples of network segmentation barriers:
- Downtime and/or unsuccessful deployment
- Planning deficiencies
- Staff limitations
- Maintenance requirements
- Budget issues
- Lack of leadership support
Here are a few recommendations to help you tackle some of these barriers.
- Adequate planning: Break your project into smaller chunks with multiple phases, including proof of concept. You want to make sure all your technical questions are answered prior to initiating the project right. Include all the right subject matter experts for your organization and don’t forget about any third parties you may work with on this project.
- Proper infrastructure: Do not implement strategies or technologies that are not fully supported by your infrastructure. Sometimes you can break your entire network just by implementing something new and untested.
- Staff capabilities: Ensure your network staff are capable and have the skills you need. If not, you may want to consider hiring additional skilled staff, working with managed services, or partnering with a specialist or consultant that specializes in network segmentation.
- Time constraints: Give your project time to develop and set aside ample time for each part from planning to implementation to management and reviews.
- Leadership buy-In: Engage your leadership well in advance. Look at network segmentation like a business proposal. A helpful tip: when you bring an issue to your leadership team, it’s important to include potential solutions. Many teams find increased leadership cooperation when they are presented solutions, which helps to build trust.
And finally, when you’re considering network segmentation, don’t forget about the role of zero-trust architecture, which is an important component of maturing your cybersecurity program. Remember, there are a lot of threats out there and an increasing number of bad actors masquerading as trustworthy entities. Zero-trust architecture basically says nothing is trusted and everything has to be validated.
From a technical perspective, it’s good to draw on a definition from the National Institute of Standards and Technology (NIST) SP 800-27, which says:
“Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero-trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows.”
ZTA offers a more holistic approach to security implementation where each system, user, asset, or resource is inherently not trusted within your environment regardless of where it lives within your infrastructure.
With ZTA, access is granted on a per-connection basis, regardless of where the request comes from within your network. Enterprise resource access in ZTA is based upon policy, state of users, relevant systems, and infrastructure. It moves away from an outer-perimeter security model by focusing on access to enterprise resources or assets on an individual level.