Network segmentation is a common and effective cybersecurity countermeasure. As attacks get more sophisticated, however, security tactics need to advance in parallel. For example, endpoints (laptops, desktops and workstations) are often considered among the “weakest links” in a cybersecurity strategy. They are thus the prime targets for network penetration attacks. That said, it’s apparent that existing endpoint security tools are increasingly deficient. Network segmentation, which secures access from these risky devices to sensitive data, is one area that can help combat the risk of cyberattacks. This article explores the role of the endpoint in network segmentation and shares several emerging network segmentation best practices that strengthen the endpoint.
Overview: Managing Network Segmentation and End User Experience
The success of network segmentation as a countermeasure hinges on end user experience. For instance, it’s easy to achieve and enforce secure network segments by handing out a separate machine that can only access privileged network sub-segments. But, this is not a viable approach today, where people expect total network access from pretty much any location and any device.
Employees will probably not lug two laptops with them everywhere they go. At some point, they’ll circumvent the control if they can. Similarly, even if access to the privileged network segment is available through a general corporate device, usability issues will affect compliance. The challenge is to make network segmentation work without negatively affecting end user experience. This principle should guide any thinking about network segmentation best practices.
Deficiencies in Current Network Segmentation at the Endpoint
Use of Virtual Desktop Infrastructure (VDI) or Citrix emulation software to access a privileged network segment carries a modicum of risk. Risk exposure comes from having the VDI tool share the same operating system with all the other software on the device, e.g. email or web browsers. The user can accidentally infect his or her machine with spyware or keylogging software by visiting a suspicious site or opening a malware-bearing email attachment. From there, hackers can spy on the privileged network login occurring on VDI or Citrix. This significantly increases the risk of breaches of the privileged network segment.
Network Segmentation Best Practices
- Protect the endpoint first—Malicious actors access the network through endpoints. Or, they gain access after compromising an endpoint and stealing credentials for network segments. It’s a wise practice, therefore, to start the network segmentation process at the endpoint.
- Create privileged access workstations—The user should have a separate, segregated workstation to use in accessing privileged network segments. However, factoring in user experience, the separate machine should be on the same physical device. Advances in hypervisor technology make this possible today.
- Segment the network, starting with simple steps—Network segmentation can get complicated pretty quickly. The best practice is to start small and move forward in defined increments. For instance, first establish a privileged area in your organization with access only to a small set of privileged resources. Access to this area should be strictly controlled to privileged access workstations. Then additional measures can be added, such as separate authentication infrastructure, multiple authentication factors, and separate infrastructure for updating, managing and securing privileged resources.
- Focus on user experience throughout the process—At each stage of devising and implementing network segmentation, a good practice is to think through the end user’s experience of the whole setup. If any step in the log in procedure is opaque, it’s wise to rethink it and make it clearer.
- Pay attention to structural risks in the process—A segmented network will not be secure if hackers can gain access to the systems that administer it. For this reason, a recommended practice is to segregate the configuration management systems for privileged machines from those that deal with regular work computers. This way, it becomes harder for a hacker to provision himself or herself with a privileged machine and defeat the entire segmentation countermeasure in the process.
- Establish and enforce policies for use of peripherals on privileged machines—The machine used for accessing privileged network segments has to be subject to strict policies regarding peripheral devices. For example, they should not auto-load the contents of USB sticks or accept USB drives at all. The challenge here is enforcing a no-USB policy on a virtualized privileged machine that shares hardware with a PC which does accept USB drives. Again, new privileged machine hypervisor tooling enables this sort of selective policy enforcement.
- Manage organizational issues that may arise in the network segmentation process—Network segmentations also often involve segmenting people, teams and business processes. In some cases, the biggest problems in a segmentation project come from interpersonal and inter-departmental conflicts. For example, business unit A may run enterprise system A on network segment A, while business unit B runs system B on segment B. What happens when systems A and B must integrate to perform a business process? There will be negotiations and discussions over procedures, budgets and more.
Similarly, network segmentation can cause friction between separate areas of the IT department. The endpoint security team may want to “own” the network segmentation solutions that occupy the endpoint, while the network security team wants to control everything. These potential conflicts have to be thought through and worked out professionally and sensibly. Flexible endpoint security tools can help resolve the “who controls what” and “we both need access to the segment” debates that can arise.
Network segmentation best practices are evolving as the threat landscape grows more menacing and end users expect greater convenience. End user experience should serve as an overall guiding principle. From there, a focus on the endpoint makes the most sense. It is the gateway to the network, so it merits attention. A new generation of hypervisor tools now makes it possible to install multiple, wholly segmented virtual machines on the same piece of hardware. With this capability, users can securely access privileged network segments on the same machine they use for general work and even personal online activities.