Use Segmentation & Compensating Controls to Protect the Network

Learning Objectives

After completing this unit, you’ll be able to:

  • Identify when to use network segmentation.
  • Describe when to use compensating controls.

Use Network Segmentation

Imagine the security at a local bank. While the bank keeps a smaller amount of money behind the counter that the teller accesses to make minor transactions, larger sums of money and other valuables (like family heirlooms or birth certificates) are usually kept inside a security box, inside a vault, behind locked doors, inside a building patrolled by a guard and secured by a gate and an alarm. 

Just as one wouldn’t store one’s valuables at a bank that kept large sums of money lying around in the open, it’s important to secure networks with more than one line of defense. Network security engineers use network segmentation as an important part of this defense-in-depth strategy. 

Network segmentation entails using physical and logical controls to partition the network so that assets with a similar value and similar risks are stored and protected together. High-value assets that have a high risk of compromise are surrounded by greater protections and kept separate from low-value assets that can be accessed by many network users. 

In one frame, a teller at a bank has a drawer of cash on the desk in front of a customer. In the next frame, a security guard stands in front of a locked vault.

In the past few years, there has been a growing trend toward segmenting networks, and advanced tool sets have been developed to make this easier. In the past, traditional methods of securing networks centered around the concept of untrusted and trusted zones. The network was thought to be a trusted zone where authorized users and assets could access most resources, with very little protections and barriers between systems and data. 

The primary way of securing networks was by securing a strong perimeter, primarily through the use of firewalls. This is equivalent to the idea of a bank having a very strong lock on the front door and a security guard monitoring what comes in and out, but few other protections once someone gains inside access. 

Hackers typically try to find the easiest way into a network, and then try to pivot to gain elevated privileges and exfiltrate (remove from the network) the most sensitive data. Therefore, more advanced security organizations today secure more than just the perimeter. The more protection put around high-value assets, down to securing the data itself, the better. This way, even if a hacker breaches the network, the likelihood that they can compromise the company’s most sensitive data is limited. This concept, called zero-trust, can be implemented using network segmentation. Google has developed a white paper on its implementation of zero-trust to help protect its internal IT environment. The paper offers an explanation of how other organizations could use this concept to help protect their data beyond the network perimeter.

Some real-life examples are a good reminder of the importance of network segmentation. In 2013, a large retail giant was hit by a massive data breach. Part of the reason hackers were able to access so much sensitive data was that the company’s engineers had failed to properly segregate systems handling sensitive payment card data from the rest of the network. 

Hackers first entered the company’s network using credentials stolen from a third-party vendor, and then leveraged that access to move undetected through the company’s network and install malware on the company’s point-of-sale systems, thus enabling the hackers to steal customers’ payment information. 

This example illustrates the importance of segmenting the network to make it harder to gain unauthorized access to sensitive systems by compromising another point of entry. It also points to the importance of monitoring the security of third-party vendors and using strong authentication to access the network remotely. The failure to properly segment and protect its network cost the company millions of dollars and impacted millions of customers, as well as damaged the company’s reputation. 

Use Compensating Controls

In a perfect world, security professionals would be able to implement every possible protection, keeping company assets as safe as possible from bad actors. However, like anything else in life, security professionals face constraints and trade-offs. There may not be enough money to purchase the latest technology or upgrade an old system. A company may not have enough staff resources to monitor its network 24/7. The chief information officer (CIO) may not have enough clout in the business to convince the chief financial officer (CFO) of the importance of implementing cutting-edge protections, whether that be a zero-trust network or strong authentication to access an application. 

When it is not possible to put in place the ideal security protection, security professionals should choose, implement, and document compensating controls. Doing so is not only a best practice but also often a regulatory requirement. 

Network security engineers put in place compensating controls when a primary control cannot be implemented, to help provide a similar level of defense to help manage risk. It is not meant to be a permanent solution, and the use of compensating controls should be documented and revisited on a regular basis until an ideal technology solution can be put in place. For example, a sensitive system may have a critical vulnerability. A network security engineer may not be able to patch the vulnerability possible because the vendor no longer provides patches. This is true of systems running on Microsoft 2003 servers, which Microsoft stopped supporting in 2015. Ideally, the security team works with the business to upgrade the server to a new type the vendor still supports. If this cannot be done, the security team may take the system offline and segment it in a heavily protected part of the network. This minimizes the chance that the vulnerability can be exploited from the public internet, while putting in place compensating controls to manage the residual risk. The security team should work with the business team to come up with a plan, resources, and a timeline to eventually migrate the system to a newer server with patches supported by the vendor. 

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag a word from the word bank at the bottom to the appropriate place in the paragraph. When you finish placing all the words, click Submit to check your work. If you’d like to start over, click Reset.

Great job! You’ve looked at how to use network segmentation and compensating controls to secure sensitive systems. How can a network security engineer detect an intrusion to the network when a hacker exploits a weakness? On to the next section!