Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Use Segmentation & Compensating Controls to Protect the Network

Learning Objectives

After completing this unit, you’ll be able to:

  • Identify when to use network segmentation.
  • Describe when to use compensating controls.

Use Network Segmentation

Imagine the security at a local bank. While the bank keeps a smaller amount of money behind the counter that the teller accesses to make minor transactions, larger sums of money and other valuables (like family heirlooms or birth certificates) are usually kept inside a security box, inside a vault, behind locked doors, inside a building patrolled by a guard and secured by a gate and an alarm. 

Just as one wouldn’t store one’s valuables at a bank that kept large sums of money lying around in the open, it’s important to secure networks with more than one line of defense. Network security engineers use network segmentation as an important part of this defense-in-depth strategy. 

Network segmentation entails using physical and logical controls to partition the network so that assets with a similar value and similar risks are stored and protected together. High-value assets that have a high risk of compromise are surrounded by greater protections and kept separate from low-value assets that can be accessed by many network users. 

In one frame, a teller at a bank has a drawer of cash on the desk in front of a customer. In the next frame, a security guard stands in front of a locked vault.

In the past few years, there has been a growing trend toward segmenting networks, and advanced tool sets have been developed to make this easier. In the past, traditional methods of securing networks centered around the concept of untrusted and trusted zones. The network was thought to be a trusted zone where authorized users and assets could access most resources, with very little protections and barriers between systems and data. 

The primary way of securing networks was by securing a strong perimeter, primarily through the use of firewalls. This is equivalent to the idea of a bank having a very strong lock on the front door and a security guard monitoring what comes in and out, but few other protections once someone gains inside access. 

Hackers typically try to find the easiest way into a network, and then try to pivot to gain elevated privileges and exfiltrate (remove from the network) the most sensitive data. Therefore, more advanced security organizations today secure more than just the perimeter. The more protection put around high-value assets, down to securing the data itself, the better. This way, even if a hacker breaches the network, the likelihood that they can compromise the company’s most sensitive data is limited. This concept, called zero-trust, can be implemented using network segmentation. As described in the Trailhead module Zero Trust Security, zero trust is the modern approach to IT security where the goal is to secure beyond the conventional perimeter-based security model.

A zero trust environment requires continuous verification of users and devices, analyzing behavior and context to grant or deny access based on real-time risk assessment. Zero trust enhances network segmentation by applying granular access controls and ongoing verification within each segment, ensuring that even if a breach occurs, it’s contained and minimized.

Some real-life examples are a good reminder of the importance of network segmentation. During a busy holiday season, a large retail giant was hit by a massive data breach. Part of the reason hackers were able to access so much sensitive data was that the company’s engineers had failed to properly segregate systems handling sensitive payment card data from the rest of the network. 

Hackers first entered the company’s network using credentials stolen from a third-party vendor, and then leveraged that access to move undetected through the company’s network and install malware on the company’s point-of-sale systems, thus enabling the hackers to steal customers’ payment information. 

This example illustrates the importance of segmenting the network to make it harder to gain unauthorized access to sensitive systems by compromising another point of entry. It also points to the importance of monitoring the security of third-party vendors and using strong authentication to access the network remotely. The failure to properly segment and protect its network cost the company millions of dollars and impacted millions of customers, as well as damaged the company’s reputation. 

Use Compensating Controls

In a perfect world, security professionals would be able to implement every possible protection, keeping company assets as safe as possible from bad actors. However, like anything else in life, security professionals face constraints and trade-offs. There may not be enough money to purchase the latest technology or upgrade an old system. A company may not have enough staff resources to monitor its network 24/7. The chief information officer (CIO) may not have enough clout in the business to convince the chief financial officer (CFO) of the importance of implementing cutting-edge protections, whether that be a zero-trust network or strong authentication to access an application. 

When it is not possible to put in place the ideal security protection, security professionals should choose, implement, and document compensating controls. Doing so is not only a best practice but also often a regulatory requirement. 

Network security engineers put in place compensating controls when a primary control can't be implemented, to help provide a similar level of defense to help manage risk. It isn't meant to be a permanent solution, and the use of compensating controls should be documented and revisited regularly until an ideal technology solution can be put in place. For example, a sensitive system may have a critical vulnerability that can't be immediately patched because the vendor no longer provides patches or a patch is not yet available. In this case, the security team can segment the system by placing it on a separate Virtual Local Area Network (VLAN) or subnet.. This limits the potential attack surface, minimizing the chance that the vulnerability can be exploited from the public internet. The security team should work with the business team to come up with a plan, resources, and a timeline to eventually migrate the system to a newer server with patches supported by the vendor. 

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag a word from the word bank at the bottom to the appropriate place in the paragraph. When you finish placing all the words, click Submit to check your work. If you’d like to start over, click Reset.

Great job! You’ve looked at how to use network segmentation and compensating controls to secure sensitive systems. How can a network security engineer detect an intrusion to the network when a hacker exploits a weakness? On to the next section!

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback