Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12/18/2019
10:35 AM
100%
0%

Few Firms Use Segmentation, Despite Security Benefits

Network segmentation is considered a key security control to prevent attackers from easily accessing critical assets from compromised, but unprivileged, computers. So why aren't more companies doing it?

Fewer than one in five companies is currently using network segmentation to slow intruders from moving around its network, mainly due to the difficulty of configuring and maintaining firewall rules, according to a survey conducted by network security provider Illumio.

The survey, based on interviews with 300 IT professionals, found that 19% of companies currently use network segmentation to reduce the risk of a data breach, while another 26% are planning a project in the next six months. Yet a whopping 55% of companies are not even considering deploying segmentation in that time frame, according to the survey. 

The responses suggest that companies understand the benefits of segmenting their applications and servers, but the difficulty of the project has dissuaded many IT professionals, causing them to put off efforts, says Matt Glenn, vice president of product management for Illumio.

"When we talked to people, they never say that they don't want to do segmentation," he says. "They ask how can they do it and what is the cost."

Network segmentation is one way of dispensing with trust and minimizing the impact that a user could have on the network. A variety of companies have touted the zero-trust model for security, labeling trust as weakness. By limiting access to specific critical assets and data, segmentation is one way of implementing zero-trust security and can harden networks against an intruder's efforts to laterally move after a breach. 

Last year, network segmentation appeared on the to-do lists of nine out of 10 companies, according to a blog post from network security firm Forescout. Illumio's survey suggests that companies still have to work to do, however. That's understandable, as network segmentation projects take a great deal of time and planning. Moreover, companies need to do it right — if done incorrectly, segmentation can create roadblocks for legitimate users. 

Because of these difficulties, two-thirds of respondents considered the process of segmenting using firewalls to be fairly challenging or even more difficult, the survey found.

"Among their most pressing concerns were cost, troubleshooting, deployment and making changes," Illumio stated in the report. "The difficulties respondents had with their firewalls ranged from deployment to obtaining budgets, implementing changes and verifying them."

Most companies have to deal with a large number of firewall rules. Almost two-thirds — 62% — of organizations have more than 1,000 rules per firewall, according to the survey.

Using firewalls as the basis of network segmentation can slow down the deployment of new rules for applications, the company says. The average time to deploy and tune a firewall is one to three months, and it takes an average of one to two weeks to accommodate a new application, according to the survey. Such delays make segmentation via the firewall not friendly to software development life cycles focused on DevOps, Glenn says.

"Most people when they think about doing segmentation, they are thinking about doing it with a firewall, and that it's like trying to put together Ikea furniture with a hammer," he says. "It's not going to work, but you only have one tool, so you use it, even if it is not the right one."

As agile development and techniques such as DevOps grow in popularity, companies are searching for methods of making security more responsive to application configuration. Software-defined networking has become one way that companies can quickly segment networks as well as add responsive security features, such as deceptive network architectures that can waste attackers' time.

Other companies — such as Cisco, Illumio, and VMware — focus on host-based segmentation, using the firewall of the application's host to enforce security segmentation on the application.

In the end, companies need to find ways to more granularly apply security policies to assets on their network, according to analyst firm Forrester Research.

"Defending the perimeter is no longer an effective strategy," the firm states on its Zero Trust site. "Zero Trust implements methods to localize and isolate threats through microcore, microsegmentation, and deep visibility to give you an organized approach to identify threats and limit the impact of any breach."

 

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Manage API Security."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
demmis_linux
50%
50%
demmis_linux,
User Rank: Apprentice
12/23/2019 | 10:24:01 AM
Thank you for this
Thank you for this
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.