How Network Segmentation Can Aid Agencies’ Security
Under the draft strategy, agencies would be required to create an implementation plan to segment their networks around individual applications, in consultation with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and include it in their full zero-trust implementation and investment plans.
The network segmentation plan “should describe the agency’s strategic approach to transitioning their network architecture, including how the agency will employ network virtualization and automated configuration management to easily replicate network security controls,” the strategy notes.
As Microsoft notes in a blog post, the key principles of zero trust — verify explicitly, use least-privilege access and assume a breach — encourage organizations to “think that a security incident can happen anytime and you are always under attack.”
“One of the things you want to be ready with is a setup that minimizes the blast radius of such an incident — this is where segmenting your network while you design its layout becomes important,” the post notes. “In addition, by implementing these software-defined perimeters with increasingly granular controls, you will increase the ‘cost’ to attackers to propagate through your network and thereby dramatically reduce the lateral movement of threats.”
Federal IT leaders and experts say that network segmentation should be a critical element of agencies’ incident response approaches.
“If you’re managing your network and you’re segmenting it and you’re being smart about it, it will at least be able to isolate,” notes Deputy Federal CIO Maria Roat. “If someone gets into your network, they’re not going to move all over the place. If somebody comes in through that open window in your house, they’re going to be stuck in that room and they’re not going to be able to go anywhere else in your house.”
Segmentation should be coupled with granular access control, multifactor authentication and end-to-end encryption to ensure security is as robust as possible, Roat notes. “I think it’s not just about network segmentation but about the rest of the pieces and bringing it together as well,” she says.
Bill Marion, managing director and the growth and strategy lead for defense at Accenture Federal Services, says he has been a “big believer” in network segmentation for the past decade, and that network traffic is getting “blacker and blacker,” meaning more encrypted, all the time.
Echoing the draft zero-trust strategy, Marion, the former deputy CIO of the Air Force, says network segmentation these days boils down to application and data segmentation, because “if you’re doing application and data segmentation, kind of by default, you’ve got network segmentation.”
Network segmentation should start at the application level, Marion notes, with agencies segmenting apps like Microsoft Office 365 from other mission-critical applications.