Networks are the backbone of a company’s digital information infrastructure. They allow for the digital flow and exchange of information across and within your corporate perimeter. However, many corporate networks are flat, with one large segment that is not separated by any logical boundaries. For example, in a flat network, Corporate or Enterprise and Operational Technology (OT) domains commingle. As a result, any resource from the Enterprise environment can potentially access a resource in the OT environment. More importantly, information, sensitive or not, flows freely in both directions.
Armed with unauthorized access, a malicious actor can go as deep as the process level to shut down systems that interface with field assets and potentially cause a major incident. The impact can not only be financial, but safety related, which can impact people working in that environment. We have all seen the headlines float across our browsers highlighting a company that has had a major breach in their OT network, where most of the critical business assets reside. This situation is avoidable by following industry best practices.
Instead of a flat network, consider segregating the network into different segments or zones. For example, you would segregate your Enterprise network from your OT network. Segmenting the environments limits access to critical areas of the business, thereby lowering the impact of a breach and slowing down the force of an attack. Within the Enterprise and OT network segments or zones, companies can add additional segmentation to better secure critical operational assets.
As stated above, information flows freely in a flat network. This is a major drawback as there is minimal control over the flow of data within the network. In a segmented network approach, controls are implemented to only allow information from a trusted network to an untrusted network. Following best practices, once the network is segmented, information would flow from the OT zone to the Enterprise zone and never the other way. This provisions the protection of assets and data that are most critical to business operations. In instances where data is required by Enterprise users, industry best practice is to create a demilitarized zone (DMZ) and grant permissions to only those users who require access to said data. This approach also provisions for better allocation of valuable resources. Strategically speaking, more efficient and cost-effective resources can be applied to protect segments or zones where assets are most critical.
Now more than ever, companies rely heavily on digital information to conduct their business. Data is used daily to make critical business decisions. Networks are the digital backbones on which data is shared, transferred, and stored. If this is the case, shouldn’t it be protected with the utmost care? A flat network is a major drawback to a company’s security posture. Network segmentation is a best practice security strategy that is recommended by every security framework and industry best practice. This approach not only helps to secure a company’s information, but it also improves resilience and reduces your overall risk profile.