Gartner Blog Network


Network Segmentation

by Andrew Lerner  |  November 9, 2017  |  1 Comment

One thing that comes up all the time with clients is how to segment their network(s).  There’s no simple answer to this, and we often see organizations over- and under-segmenting their environments. My colleague, security guru Greg Young has published our official positions on network segmentation (including microsegmentation) and a few takeaways include:

For starters, the core principle is that segmentation is based on data sensitivity, location and criticality. Further, in virtualized environments, change the technology, but not the security principles. Also, We’ve said it before, but it bears repeating: Don’t Oversegment: 

Network segmentation projects are often triggered from an assessment of the network as being overly flat. Flat networks do not have defense in depth, and raise the impact of a successful attack because “all your eggs are in one basket.” The most common mistake Gartner sees being made in response to remedying a flat network is to oversegment, or create too many zones. A principle of network segmentation is to group like resources together, to minimize security overhead: Build a fence around the car park, not a fence and gate around every car.

Greg and I talk pretty regularly, and even though networking and security are fundamentally different, we strongly agree on a common principle:  Don’t outsource network design.

Network segmentation projects are usually a rare occurrence in an enterprise, so there is likely to be little experience with staff in conducting them; however, the tendency to seek out a subject matter expert outsourcer to lead the effort should be resisted. Network segmentation decisions are based on internal business, rather than technology knowledge. Most Gartner clients that have outsourced the project have regretted that decision.

Don’t Cut the Lawn with Scissors: Not all segmentation mechanisms are equal in terms of trust. Mismatches of trust in segmentation result in too little risk, causing unnecessary expense and latency, or too much risk, exposing the enterprise.

sec22_298011_os Gentrify

You can access the full research here (paywall): Best Practices in Network Segmentation for Security

Summary: Implementing better network segmentation to improve security is a significant project for network operations, data center ops and security teams. From dividing IoT from IT using microsegmentation to avoiding oversegmentation, we call out best practices for maximizing success in this task.

Category: networking  security  

Tags: microsegmentation  network-security  

Andrew Lerner
Research Vice President
4 years at Gartner
19 years IT Industry

Andrew Lerner is a Vice President in Gartner Research. He covers enterprise networking, including data center, campus and WAN with a focus on emerging technologies (SDN, SD-WAN, and Intent-based networking). Read Full Bio


Thoughts on Network Segmentation


  1. Michael Bushong says:

    While the segmentation guidance here is the lead, I think the outsourcing of design is actually the most important part. As enterprises move to cloud, some will undoubtedly–even if only subconsciously–absolve themselves of architectural responsibility.

    We saw this with the AWS S3 outages, where companies that didn’t pay attention to designing for availability were impacted.

    Being cloudy doesn’t mean you don’t have to also be architecty. I like that you’re calling that out. I think it represents the single biggest threat to enterprise IT right now.

    Mike
    @mbushong



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.