Maksim Kabakou - Fotolia
Security Think Tank: IT asset separation is a risk-based decision
What are the security benefits and challenges of segregating IT environments, and how best are these challenges overcome?
IT is not an island. And often, that is the problem. Failure to segregate and contain key IT infrastructure and resources often makes it harder (if not impossible) to defend and protect.
It is not just a cyber security concern – it also extends to containing the fallout from errors, compliance issues, hardware failures and other outages. However, it is within the realm of cyber security that IT segregation often shows its greatest value and will offer significant benefit, albeit with some issues and compromises.
For instance, having hard separation of your various IT operating environments can prevent cross-contamination of systems in the event of a malware outbreak, and should be best practice in your systems development and deployment. Poor separation is one of the things that aids propagation of malware.
If we take the WannaCry outbreak as a case in point, the poor separation of systems within some NHS environments was a contributing factor that allowed the code to spread rapidly and create significant harm. That single outbreak is reported to have cost the NHS between £70m and £92m in recovery costs.
This is why security skills and a security mindset are critical in network management and network building. While the actual separation of the IT environment is a key element, so too is having the right people on hand to plan, test, deploy and maintain this infrastructure.
Having qualified IT security personnel with a proven understanding of network and cloud security is paramount to a successful IT separation project, as well as to ensure that the security benefits can actually be realised from it. But what are the options?
Physical isolation
Physical separation is still as literal as it sounds. One piece over here, another piece over there – with firewalls in-between to ensure no unnecessary crosstalk and, where necessary, air-gapping them from the outside world. The primary benefit of this physical separation is clear – it provides a high degree of isolation.
If segment A becomes infected with malware, suffers a hardware failure, an intrusion attempt, a DoS [denial of service] attack or something else, segment B is completely isolated and should not be impacted by the issues affecting A beyond any shared dependencies. It also has significant data protection and compliance benefits, such as ensuring that data is not disclosed to parts of the business that should not have access, allowing for a clean purge of data assets in the event of a sale, merger or reorganisation.
Successfully breaching segment A will not automatically deliver access to B, immediately reducing the overall data and compliance risk profile for the business.
As the networks themselves are isolated from each other, that also takes care of data traffic, reducing the need for any additional smart routing or isolating of traffic as might be seen on a single network or in an ad-hoc test environment.
A prime example of this is using an external cloud service for testing, and in-house infrastructure for the production deployment. The two platforms create a hard divide, so that test or security issues on one will not take down the other.
Virtual isolation
The other approach is to abstract the physical layer from the software layer, and instead rely on layer-2 VLAN [virtual local area network] segmentation. This software-defined networking (SDN) approach has many benefits, including reducing the need for constant physical intervention to provision and reconfigure network assets, as well as allowing for more centralisation of VLAN control, configuration and monitoring.
It also allows for the rapid deployment of security countermeasures, such as new virtual firewall instances, in-flight encrypted connections, re-routing of traffic and some reconfiguration on-the-fly to counter inbound security threats and challenges, such as a DoS attack or a straightforward intrusion attempt.
However, the hard and virtual separation of IT systems does come with an operational cost, if not a financial one, too. For example, it can complicate the integration of public cloud services into your IT infrastructure.
If you are relying on virtual network infrastructure to segregate and isolate elements of the IT estate, this will, in turn, limit the connectivity in and out of the network to the public cloud, and potentially impact the ability of systems on other parts of the network to reach that connection if it is on a segregated branch.
Read more from Computer Weekly’s Security Think Tank about the security benefits and challenges of segregating IT environments
A segregated network – physical or virtual – will also create greater workload when trying to reconfigure infrastructure to ensure that applications continue to function and can still reach all the resources they need if that resource has been moved.
Even a virtual network comes with compromises. Under that software layer is still a fixed hardware layer, and there is only so much you can do with a software-based virtual network, especially if it involves extending the reach of that VLAN. Provisioning and small changes are quick, but the underlying physical changes and build-out can be extremely time-consuming and expensive.
Ultimately, IT asset separation is a risk-based decision. It is not a simple or quick fix for all your security challenges. It requires a clear and expert understanding of the security threats and issues the organisation faces, or potentially faces.
This is why it is is so important to have skilled, qualified cyber security professionals involved in the process. Only then can you quantify whether the problems and hurdles that IT separation creates are worth it and will deliver overall benefit.