Security postures of traditional networks, especially smaller organizations, have always focused on the edge of the network as the highest risk of attack. While firewalls, intrusion prevention systems, email filters, web filters, and anti-virus are still a staple in the security world, many agree that if and when you are targeted these devices are likely to not prevent a compromise.
Today’s networks need to incorporate this into their design. Your network security cannot focus simply on the perimeter of your network. No longer can you inherently trust the devices on your network as it is typically seen in non-enterprise organizations. You must assume that the perimeter has been breached and a device has been compromised inside your network.
Once a device is compromised we now need to start looking into internal security and segmentation of a company’s internal network. Doing your best to detect and mitigate any compromised device within. A key concept around this is segmentation within your network. Segmentation in its simplest form is dividing up your networks into classes of devices based on the data they contain and transmit, as well as the access they are required to have.
For instance, a point of sale system handles very sensitive information and rarely needs to be able to allow its users unfettered access to the internet. Likewise a vendor system such as an HVAC pc is unlikely to require access to a POS system, file shares, or even user workstations. Implementing this type of segmentation lays the building blocks for limiting what a compromised system can access as well as provide you additional points of inspection to detect the breach before any confidential data is stolen.
While larger enterprises have been doing this for years, the latest trends show that organizations of any size need to start protecting their important data in many of the same ways. This also does not stop at the network, this is merely one component of an overall security strategy that must tie into the systems and policies as well as the network.