Segmentation a key element of zero-trust security but adoption is slow
Akamai’s report indicated that segmentation is broadly recognized as an important part of zero trust security strategies. When asked why their organization began a segmentation project, the third-most common answer given by respondents was to advance zero trust.
Globally, most respondents aspire to go further and implement microsegmentation, which protects application workloads at a granular level – 89% said microsegmentation is at least a high priority, with 34% naming it as their top priority.
However, segmentation deployment has been slow in a lot of businesses, the report found. Less than a third of organizations have segmented across more than two critical business areas such as critical applications, endpoints, and business-critical assets/data in 2023, despite 44% having started a network segmentation project two or more years ago. A lack of skills/expertise for segmentation (39%), increased performance bottlenecks (39%), and compliance requirements (38%) were cited as the obstacles most often encountered when segmenting networks. On a more positive note, segmentation rates are gradually increasing overall. The percentage of organizations with segmented business-critical applications/data and segmented servers rose 12% and 8%, respectively, from 2021 to 2023.
Network segmentation ultimately the essence of zero-trust enforcement
Network segmentation is ultimately the essence of zero trust enforcement – the only connections that exist are those that are “allowed” – everything else is denied, Fernando Montenegro, senior principal analyst at Omdia, tells CSO. “Note that this is conceptual: The in-the-wire reality is a lot more complex, but network segmentation is a key part.” Segmentation (and zero trust generally) is an effective approach against ransomware threats, at least to some extent, he adds. “The key issue is that ransomware is really a complex, multi-stage extortion campaign against a target company, and determined attackers will often look to subvert internal systems via stealing user accounts and elevating privileges. In that scenario, network segmentation may offer less value (note that I did not say no value) since the user traffic will likely be allowed.”
For organizations looking to implement effective segmentation/micro-segmentation, Montenegro recommends having a keen understanding of the key organizational processes and data assets, and starting a segmentation process that considers all the ways those key assets need to be protected. “So, rather than start with a mindset of “How do I segment my networks?” it’s more of “How do I control access to my critical data?” which then translates into a broader network architecture.”
