One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2484161 |
| Date de publication | 2021-03-15 05:01:00 (vue: 2021-03-15 05:05:46) |
| Titre | What is network segmentation? NS best practices, requirements explained |
| Texte | This article was written by an independent guest author. If you follow cybersecurity current events, you may know that the cost and frequency of a data breach continue to skyrocket. Organizations are constantly under attack, and the shift to remote work is only exacerbating the problem. According to IBM’s 2020 Cost of a Data Breach Report, most respondents are concerned that identifying, containing, and paying for a data breach is more burdensome today than ever before. Seventy-one percent feel that remote work will increase the time to identify and contain a breach, while almost the same number believe remote work increases the cost of a breach. The numbers agree: remote work has added $137,000 to the average breach cost. In 2021 and beyond, reactive security measures—typically cumbersome and costly—are no longer sufficient. Instead, proactive strategies that anticipate potential risks or vulnerabilities and prevent them before they even happen are required. One such strategy, network segmentation, is critical for any organization. If you’re not deploying network segmentation, it’s time to get started. What is network segmentation? Network segmentation is a process in which your network is divided into multiple zones, with specific security protocols applied to each zone. The main goal of network segmentation is to have a better handle on managing security and compliance. Typically, traffic is segregated between network segments using VLANs (virtual local area networks), with firewalls representing an additional layer of security for application and data protection. By separating your network into smaller networks, your organization’s devices, servers, and applications are isolated from the rest of the network. Potential attackers that successfully breach your first perimeter of defense cannot get further, as they remain contained within the network segment accessed. How does network segmentation compare to micro segmentation? The concept of micro segmentation was created to reduce an organization’s network attack surface by applying granular security controls at the workload level and limiting east-west communication. While micro segmentation began as a method of moderating lateral traffic between servers within one segment, it has evolved to incorporate traffic in multiple segments. This intra-segment traffic would allow communication between both servers and applications, as long as the requesting resource meets the permissions set out for that host/application/server/user. Microsegmentation can also be used at a device level. For example, protecting IoT or connected manufacturing or medical devices—since many ship without endpoint security or are difficult to take offline in order to update endpoint security. The key differences between the two strategies can be boiled down like this: Segmentation works with the physical network, policies are broad, limits north-south traffic at the network level, and is typically hardware-based Micro segmentation works with a virtual network, policies are more granular, limits east-west traffic at the workload level, and is typically software-based. An analogy: if your network is a collection of castles, segmentation is like the huge walls surrounding the buildings, while micro segmentation is like armed guards outside each castle door. When deciding between segmentation and micro segmentation, it shouldn’t be a question of one over the other. Incorporating both models into your security strategy is best: segmentation north-south traffic and micro segmentation for east-west traffic. Best practices for segmenting network traffic However you go about segmenting your network, you’ll want to ensure the seg |
| Envoyé | Oui |
| Condensat | $137 “trust if 000 2020 2021 ability about access accessed accessing according achieve achieving activity actors added additional addresses agree: all allow allows almost already also analogy: anticipate any application applications applied applying apps architects are area armed around article assessments—are attack attackers audit audits audits—which authenticated author automate average bad balance based because become before began believe best best: better between beyond boiled both brand breach breaches broad broader building buildings burdensome can can’t cannot card castle castles categorize changes collection combine combined comes communication compare compliance concept concerned connected connections consider: considered consolidate consolidated constantly contain contained containing continue control controls cost costly—are counterproductive created credit critical cumbersome current cybersecurity data databases deciding decreased default defense define defined degree denied deny deploying designated determine device devices devices—since differences difficult diminish distinct divided does doesn’t door down dss duration each ease east effective else endpoint endpoints enough ensure entire essentially even events ever everything evolved evolves exacerbating example excessive explained facing fact far feel finding firewalls first follow following form frequency from fully further gain gaps get goal good granted granular guards guest handle happen hardware has have headaches heard help here host/application/server/user how however huge ibm’s identify identifying identity impact implemented improve include incorporate incorporating increase increases independent inside instead intra iot isolate isolated issues it’s its keep key know knowledge lateral laterally layer lead leading legitimate level leveraged like limiting limits local location logical long longer main maintaining manage management managing mandates manufacturing many may measures—typically medical meets method micro microsegmentation model models moderating more most move much multiple must need negatively network networking networks north not nothing number numbers offline one one” only order organization organization’s organizations other out outside over overall party pass paths paying pci percent performance perimeter permissions philosophical physical plan planned points policies policy popular possible posture potential practice practices prevent proactive probably problem procedure process productivity properly protected protecting protection protocols providers question reactive reduce reflects regular regularly remain remember remote report representing requesting require required requirements requiring resist resource resources respondents rest restrict restrictive risks roadblocks rules same sdns secure security segment segmentation segmentation—when segmented segmenting segments segregated sensitive sensitivity separating servers set seventy shift ship should shouldn’t similar skyrocket smaller software solely some someone south south—meaning specific started strategies strategy streamline stuck subject successfully such sufficient supports surface surrounding tactic take term terms than them then these they’re thing thinking third this: thus time today too towards traffic trust trust—a trust—creates trusted two type typically ultimately under unverified update urge used users using vendor vendors verification virtual virtualized vlans vulnerabilities vulnerability walls want west what when which will within without work workload works would written you’ll you’re you’ve your yourself zero zone zones |
| Tags | Data Breach Vulnerability Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.