I’ve blogged about network segmentation before, and many enterprises continue to struggle with it, particularly on-premises. The failure rate for network segmentation projects remains high, and most projects last longer than the average tenure of a CISO.
One of the biggest mistakes we see is aiming for some new “shiny new object/silver bullet” to solve the problem (looking at you microsegmentation). The tool shouldn’t drive the design, which is one of the six recommendations in the report. Here are few snippets from the research…
Separate Zoning Design From Implementation. Build your zoning strategy separate from the specific implementation constraints of the environment. Design first, pick the tool second. Don’t let the tool drive the design. Picking the tool first, then creating the design is the canary in the coal mine of a doomed-to-fail network segmentation project.
When creating the design, remember that more zone does not always equal better security. Start with new assets/projects to progressively reduce the “zoning gap.” (i.e., stop the bleeding). Start small and iterate. Aim for short, simple wins, and accept small, incremental improvements instead of aiming for “big-bang” implementations. Large “boil-the-ocean” segmentation projects fail much more often than smaller ones. Here’s a link to the full report (paywall): The 6 Principles of Successful Network Segmentation Strategies