Security

How Network Segmentation Boosts Federal Cybersecurity Amid Shift to Zero Trust

Federal agencies will be required to segment their networks down to the level of individual applications, which can limit the reach of cyberattacks.

Phil Goldstein

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna, and two cats, Grady and Princess.

As federal agencies contemplate how to achieve a mandated move to a zero-trust architecture for cybersecurity, IT leaders are being asked to juggle a lot. They need to make progress on modernizing their security approaches in five key areas, including identity, devices, applications and data.

Networks are the other piece of the puzzle. As agencies move to a zero-trust model, they will be required to segment their networks in a more granular way, according to a draft zero-trust strategy document released in September by the Office of Management and Budget.

Along with endpoint detection and response tools and tools to get more visibility into networks, network segmentation can play a key role in agencies’ approach to cybersecurity incident response. By preventing an attacker who compromises a system on one segment from pivoting to other sections of the network, segmentation limits the potential scope of the initial compromise.

“Agencies should be moving towards an end state where every distinct application they run is in its own separate network environment,” the draft document advises. “Multiple applications may rely on specific shared services for security or other purposes, but should not rely on being co-located within a network with those services and should be prepared to create secure connections between them across untrusted networks.”

KEEP READING: Get complimentary resources from CDW for guidance on building an incident response plan.

How Network Segmentation Can Aid Agencies’ Security

Under the draft strategy, agencies would be required to create an implementation plan to segment their networks around individual applications, in consultation with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and include it in their full zero-trust implementation and investment plans.

The network segmentation plan “should describe the agency’s strategic approach to transitioning their network architecture, including how the agency will employ network virtualization and automated configuration management to easily replicate network security controls,” the strategy notes.

As Microsoft notes in a blog post, the key principles of zero trust — verify explicitly, use least-privilege access and assume a breach — encourage organizations to “think that a security incident can happen anytime and you are always under attack.”

“One of the things you want to be ready with is a setup that minimizes the blast radius of such an incident — this is where segmenting your network while you design its layout becomes important,” the post notes. “In addition, by implementing these software-defined perimeters with increasingly granular controls, you will increase the ‘cost’ to attackers to propagate through your network and thereby dramatically reduce the lateral movement of threats.”

Federal IT leaders and experts say that network segmentation should be a critical element of agencies’ incident response approaches.

“If you’re managing your network and you’re segmenting it and you’re being smart about it, it will at least be able to isolate,” notes Deputy Federal CIO Maria Roat. “If someone gets into your network, they’re not going to move all over the place. If somebody comes in through that open window in your house, they’re going to be stuck in that room and they’re not going to be able to go anywhere else in your house.”

Segmentation should be coupled with granular access control, multifactor authentication and end-to-end encryption to ensure security is as robust as possible, Roat notes. “I think it’s not just about network segmentation but about the rest of the pieces and bringing it together as well,” she says.

Bill Marion, managing director and the growth and strategy lead for defense at Accenture Federal Services, says he has been a “big believer” in network segmentation for the past decade, and that network traffic is getting “blacker and blacker,” meaning more encrypted, all the time.

Echoing the draft zero-trust strategy, Marion, the former deputy CIO of the Air Force, says network segmentation these days boils down to application and data segmentation, because “if you’re doing application and data segmentation, kind of by default, you’ve got network segmentation.”

Network segmentation should start at the application level, Marion notes, with agencies segmenting apps like Microsoft Office 365 from other mission-critical applications.

EXPLORE: How are federal agencies evolving their approach to cybersecurity?