The history of cybersecurity is longer than you think – even before the Internet, there were threats that needed to be fended off. For each new threat, security needs to be developed to be at the same level, or new solutions must be created. But a solution that has existed for a long time, and is still a secure approach today, is segmentation.
The history of segmentation
Segmentation is not something that originated in IT – it has a much wider use. Even prisons, moats, and doors are classic examples of how to divide things and to keep certain things locked up. In IT, there are lots of technology for segmentation in the form of filtering network products, such as routers, switches and firewalls. Over the years, solutions have been invented that address the threats that were relevant at the time. Many have fulfilled their function, but in the meantime have become more or less interesting depending on the development of the infrastructure and methods of attack.
It was common at the beginning of the Internet era to only use firewalls as a segmentation solution between the Internet and LAN/WAN. From an efficiency perspective, this was smooth because the entire network was a free zone where everything and everyone could communicate with each other, and anything could be plugged into the network. In comparison to today’s concept of “zero trust”, this way can be called “based on trust”. You simply trusted the segmentation – what was on the inside was secure and what was on the outside was insecure. Today we know more about how attackers exploit networks, and the truth is that most attacks happen because a device in the network is exploited, which can give access to other devices in the network.
This risk raises the question – do all these devices need to communicate with each other? And if they do, how do they communicate, and can we block all other traffic? It is also about finding a balance between security and productivity. Some physical separation techniques, such as air-gap, are very effective security methods that can be used for networks with high confidentiality, integrity and availability. But in today’s society, there is a challenge that these systems have a greater need than before to communicate with the outside world. In this perspective, air-gap becomes very secure, but reduces productivity.
Read more about network segmentation!
Just like a ship has watertight bulkheads that divide the ship into smaller sections, the internal network should be similarly segmented. There are many examples where a business has been affected by e.g. ransomware, and as a defence mechanism to minimise the damage shuts down all IT communication. But no business would come up with the idea of shutting down their business because there are threats on the internet. In other words, you trust your segmentation against the internet. If you then have similar protective bulkheads internally, why should the entire business be shut down and not just the affected segment? If the purpose of an attack is to disrupt operations, then countermeasures can be part of the success of an attack.
Segmentation through unidirectional communication
To find the perfect balance between security and productivity, you can start to think about unidirectional communication flows. In a scenario where a sensitive network, for example a network that controls production, needs to send statistics to a less sensitive network for analysis, there is no need for continuous communication from the less sensitive network to the sensitive network. So, continuous communication is only needed in one direction. In this scenario, you should consider using a solution that ensures unidirectional communication – for example, a data diode. The basic function of a data diode is to only allow communication in one direction. With smart technology, bidirectional protocols (TCP) can be handled if data only goes in one direction.
Read more about data diodes!
The strength of history
We know that there is no such thing as perfection and that the chasing game continues between protectors and antagonists. We have to continue to develop and build new defence mechanisms, but segmentation works and will continue to work. It does not mean that just because you have segmented your systems you are without risk – it means that the consequences are smaller, and the attacks will be slower. Back to the ship comparison, watertight bulkheads do not prevent incidents. But the speed of the process is reduced and thus lives, monetary values and the environment can be saved.
Need help with segmentation? Do not hesitate to contact us!