Data Center

Network Segmentation Gives States Greater Visibility of Traffic

Segmenting state IT networks contains the scope of security when many state employees are working from home.

Tommy Peterson is a freelance journalist who specializes in business and technology and is a frequent contributor to the CDW family of technology magazines.

Protecting all the critical data on Utah’s sprawling network would be nearly unworkable if the state’s Department of Technology Services hadn’t partitioned the network and deployed tools that individually monitor and manage each segment, says Utah CISO Phil Bates.

“We segment our network to reduce risk, confine problems to an enclosed part of the network and limit the scope and cost of compliance audits,” Bates says. “We couldn’t pass an audit if our network wasn’t segmented, not because we have security issues, but because we couldn’t verify compliance for 25,000 machines each time the FBI comes for a criminal justice check.”

With the unprecedented shift to teleworking across the state due to the coronavirus pandemic, network segmentation demonstrated renewed value as a cybersecurity measure.

“We segment our VPN connections the same way we segment connections in our network,” Bates says. “All the reasons you segment a network apply when allowing remote connections. For example, it limits the exposure of state assets to external connections and reduces the scope of any audit.”

Should a security incident occur, the potential damage is contained within the network segment accessed by a remote connection preventing an attack from moving across the state network. As a matter of course, advanced management platforms and the rise of software-defined networking enables network segmentation in most large organizations, says Brandon Butler, IDC senior research analyst.

“These organizations want layers of security and granular control — eventually, we’ll get to general adoption of microsegmentation as platforms evolve,” Butler says. “Advanced platforms like those being developed by networking infrastructure vendors Cisco, Aruba and HPE, along with third-party solutions, are making segmentation policies easier to implement for organizations that deal with a lot of sensitive data — and easier for those with large teleworkforces.”

Advanced Tools Pave the Way for Network Segmentation

The key goals of any network segmentation should be visibility, automation and verification capabilities, Butler says. Automation of as many functions as possible is important because management of a segmented network can be complicated, while automated compliance verification and reporting tools take some of the pain out of auditing.

Network segmentation requires a large investment of time and money, and demands buy-in from organizational leadership, but truly boosts network security when many workers are accessing the network remotely, Butler says. He recommends that segmentation have specific goals clearly outlined before the project begins.

“You need to be able to say, ‘I want to segment these users’ or ‘I want to protect this data,’” he says. “And don’t forget to communicate with your users as you set your goals and along the way as you complete the project.”

For Utah’s Cisco/Palo Alto Networks implementation, DTS chose a Forescout Technologies solution, with Enterprise Manager and other tools to provide visibility, access control and vulnerability awareness, as well as asset and policy management for each portion of the network. Utah’s network infrastructure supports more than 25 state agencies with more than 60,000 endpoints and just over 20,000 state employees, many of whom began working from home in March.

Utah CISO Phil Bates partitions Utah’s network according to lines of business, with policies that are governed by applicable regulations.

With partitioning, a ransomware or other intrusion can be contained within one segment of the network. Utah’s network is partitioned according to lines of business, with policies for the segments governed by regulatory mandates if they apply. Whenever possible, organizations should use the policy guidelines spelled out by agencies such as the FBI and IRS to save effort and ease compliance, Bates says.

Like other major IT projects, network segmentation requires a thorough evaluation of all aspects of the IT infrastructure before organizations deploy new solutions, Bates says.

“There are different technologies you can use to do segmentation, and you need to choose the right one for your network,” he says. “These tools make the segmentation work by giving us visibility and control, but you’ve got to match them to your existing hardware.”

North Dakota Turns to Zero Trust Security

North Dakota has been working on a zero-trust, segmented network for at least six years, says CTO Duane Schell. Zero trust is a security architecture that relies on microsegmentation and high visibility in each segment, along with extremely granular access and policy control.

“Security has always been a top priority for us,” Schell says. “Prior to adopting our zero-trust model, we were segmenting different classifications of applications and different classifications of customers that reside on the network.”

The North Dakota network infrastructure is built on technologies from Extreme, Juniper and Palo Alto Networks. The state leverages capabilities from all those vendors in its zero-trust model, but relies most heavily on Palo Alto Networks orchestration and management tools, Schell says. The core platforms provide crucial automation tools that make partitioning possible.

“Going down the path of segmentation and zero trust is a heavy operational lift,” Schell says. “I highly recommend a very automated approach that incorporates a lot of orchestration capabilities for consistency in deploying policies and gives you far greater capabilities in how you monitor, manage and audit the networks.”

In addition to hardening security, easing the compliance process and simplifying audits, segmenting leads to a clearer view of network traffic, Schell says. That makes it easier to identify where something may have gone wrong if roughly 7,000 state employees connect to the network remotely.

“Once you’ve segmented around applications and the identities of users, you can have a much better understanding of what’s going on in the network,” he says. “If there’s trouble on the network, it becomes much easier to troubleshoot because the scope of the problem is limited.”

64%

Percentage of state HR directors who report regular telework for eligible positions

Source: Center for State and Local Government Excellence, Survey Findings: State and Local Government Workforce: 2020 Survey, April 2020

When state employees work from home, it is critical to simplify the operations of the state network and gain as much visibility as possible into network traffic, Schell says. Segmentation is a vital part of that process.

“When your staff is telecommuting or working from home, there are new challenges that are introduced surrounding general management of devices, support and security perspectives,” he says. “However, if your network segmentation strategy aligns with your remote access strategy, all of the benefits and associated recommendations relating to network segmentation continue to apply and, one could argue, are even more important.”

Network Segmentation Is One Part of Vermont’s Strategy

In Vermont, network segmentation is one aspect of a comprehensive “defense in depth” strategy, says CIO and Secretary of Digital Services John Quinn.

“Segmentation brings additional visibility, organization and security to the network,” he says. “When we can segment resources off, we have a better chance of controlling outbreaks of malware and keeping it contained.”

Vermont’s network infrastructure is primarily built on Cisco and Palo Alto Networks technologies, with the state mixing functionality from each platform and other best-of-breed tools for segmentation and monitoring, Quinn says.

Monitoring across all segments and maintaining a holistic view of the network is essential as the organization partitions off more of its resources, he says. One struggle for public sector IT is finding funds in the budget for the tools that monitor and orchestrate the workings of the entire network.

Documentation of systems, ports and protocols becomes particularly important as organizations partition and modernize their networks, Quinn says. Like Duane Schell in North Dakota, he emphasizes the need to understand every user, device and application on the network, and how they all interact, particularly when roughly 9,100 state employees work from home.

“As we’ve gone through the process of segmenting the network, we’ve tried to create complete documentation on each piece, but that can be difficult when you’re dealing with hard-coded legacy systems,” Quinn says. “It’s those portions of the network that trouble generally comes from.”

Network segmentation is part of a comprehensive modernization push for Vermont’s IT infrastructure. The way the network is partitioned has to reflect and support the future needs and aspirations of the organization, so it’s important that segmentation is part of long-term planning, Quinn says.

“This is a major project, and in order to invest wisely, you need to look ahead,” he says. “As much as possible, you have to know what you might need from your network in five or even 10 years.”

How to Make Network Segmentation a Success

The IT professionals interviewed by StateTech agreed on one piece of advice about segmenting networks: In the words of North Dakota CTO Duane Schell, “automate, automate, automate.” Partitioning the network is complicated and works best when it leverages the monitoring and management capabilities of advanced software tools.

Some other key advice:

Start the segmentation process with a clear understanding of the network, including all devices and applications, as well as all the users, Schell says.
Because state and municipal budgets are tight, plan segmentation projects so that they can be done incrementally but still produce benefits from the beginning, says Vermont CIO John Quinn.
To avoid wasted time and effort, use the policies that are spelled out by regulating agencies and use them as templates for other segments of the network, says Utah CISO Phil Bates.
Work with partners and vendors from the planning stage on, and use all the expertise available to you, says IDC Senior Research Analyst Brandon Butler.