Segmentation, an established concept, continues to deliver value across multiple disciplines. We are all likely familiar with the concept of market segmentation that is defined in Wikipedia as “a marketing strategy which involves dividing a broad target market into subsets of consumers, businesses, or countries who have, or are perceived to have, common needs, interests, and priorities, and then designing and implementing strategies to target them.”
In IT, network segmentation is well known to increase network performance and security by isolating one network segment (zone) from others. For example, PCI (payment card industry) data within a network must be separated from the rest of the network to limit unauthorized access to credit card data.
When it comes to security and compliance, not all assets pose equal risk. Assets should be segmented into virtual groups based on attributes such as data classification, regulatory requirements, and business criticality. Ideally, multiple criteria can be applicable to the same asset to support specific security policies -- for example, segmenting assets by data classification and geography to meet local data protection regulations such as HIPAA in the United States.
Segmentation Must Inform Security Controls
Determining which security controls should be applied to which assets is a decision that must balance the cost of administering the controls (there is no free lunch) with the need to enable the business (or at least not disable it). For example, a security policy for standard endpoints could require a monthly vulnerability scan, a basic configuration audit that checks for password strength, and remediation of critical vulnerabilities and misconfigurations within 30 days, yet still allow users to install software and write data to USB devices. However, the security policy for endpoints used by finance personnel could require weekly vulnerability scans, strict configuration audits, and remediation of all critical and high vulnerabilities and misconfigurations within seven days. Additionally, when indicators of compromise are discovered that pertain to higher risk assets, higher priority alerts should be triggered to raise the visibility for security monitoring staff.
The benefits of tailoring security controls to specific asset segments include:
- Risk-based security that applies stronger controls to assets that contain or can access critical data and to assets associated with mission critical services. Hopefully, users of these critical assets will understand and accept the rationale for having their systems “locked down” to protect sensitive data and services.
- Prioritization of security staff resources. Frequently, security staff resources are spread across implementing and managing preventive controls and across proactive monitoring that demands timely investigation of indicators of weakness. Asset segmentation helps staff focus their time on what matters most.
- Automated analysis and reporting. Robust segmentation can prioritize weaknesses by grouping assets based on criteria such as regulatory requirements, vulnerability criticality, and the availability of an exploit. This analysis increases staff efficiency by focusing them on high-risk asset groups. Additionally, automated reporting leverages asset segmentation to send information pertaining to specific assets to the responsible parties.
Manual Segmentation Will Fail
Manually assigning assets to segments is doomed to failure because people are notoriously poor at performing classification. Most people don’t like to perform classification, so the unwritten “five-second rule” often applies: If people can’t classify something within five seconds, they tend to resort to the first item in a pick list. When asked to classify assets using multiple criteria such as geography, operating system, and business service, the five-second rule is virtually sure to reduce the quality of the classification. Even with good intentions, people often inaccurately classify items; it is just too easy to make a mistake. The bottom line is that classification must be automated to provide accurate results.
Automated asset segmentation and classification helps focus strong security controls where they are needed most and increases staff efficiency when investigating weaknesses and incidents.