Segmentation can be an important method of managing security. In this video, you’ll learn about Internet of Things (IoT) segmentation, SCADA, operational technology, guest networks, and BYOD.
In IT security, segmentation can be a very valuable tool. We may want to physically separate devices from each other. Or it may be a logical or virtual segmentation. This may be a separation of physical devices, or it might be segmenting networks with VLANs.
Sometimes this segmentation is created so that you can increase performance. Some applications might transfer large amounts of data. And by putting them on their own network, they would be able to transfer that in the most efficient way.
From a security perspective, segmentation allows us to limit what devices can talk to other devices. This can be useful in certain environments where you want to be absolutely sure that one device and another device cannot communicate to each other. And sometimes this segmentation has already been determined before the network design is even complete. Some compliance, like the one from the payment card industry, requires segmentation if you’ll be storing credit card information.
Our industry is dealing with a large number of new devices connecting to the network that are IoT devices, or Internet of Things. These can be sensors, such as cooling and heating sensors, perhaps even lighting that you might connect to the network. Or it might be a smart device, such as home automation devices, video doorbells, cameras, and other home-based devices. This could also be a device you wear, such as a smartwatch or a health monitor.
The problem with these IoT devices is that they may be very ingenious in their operation. But they may not be very well-thought-out from a security perspective. So segmenting the IoT devices onto their own network and away from your data might be a good choice for IT security.
Industrial devices also have a challenge when it comes to communication. These are IIoT devices, or Industrial Internet of Things. This would be for one machine communicating with another machine in order to keep all of those systems running.
With IoT devices, we’re most concerned about controlling lights or controlling temperature. With Industrial Internet of Things, the stakes are higher. There could be an entire manufacturing line that is based on all of these devices being able to communicate properly from one to the other. In that scenario, it would make perfect sense to segment all of these devices onto their own network. By segmenting these, you’re preventing any external devices from disrupting that very important communication. But you can also have automation within the Industrial Internet of Things configurations. And making sure these networks are operating will ensure that we have things like oil and gas systems that will continue to work or to make sure that the medical devices in a hospital are able to communicate properly to the other medical devices.
When it comes to our critical infrastructure or when lives are on the line, we need to make sure that these IIoT devices are able to communicate properly. And segmenting the network might be the perfect choice for a network configuration. When you’re talking about larger industrial equipment, you may be referring to SCADA or ICS. This is Supervisory Control And Data Acquisition systems or Industrial Control Systems.
These are very large systems that might be in a manufacturing environment, or they might be used for power generation. These types of very large industrial systems require real-time monitoring. And we need to be sure that we’re able to control the system across the network at a moment’s notice. If you look at a network with SCADA devices, you’ll notice that it is completely segmented from the rest of the network. And only people with the right access in the right location are able to access these systems.
Uptime and availability becomes even more important when you talk about Operational Technology, or OT. This could be systems that are designed to keep the electric grid up and running. It might be for traffic control. Or it may be an entire manufacturing plant that’s running on this OT equipment.
When a failure occurs in this type of environment, the results can be very wide ranging. For example, if you lose traffic control, the traffic lights may not work properly, or they may not work at all. You may have situations where manufacturing plants have to shut down completely. Or perhaps there are issues with the power generation systems and being able to distribute that power across the grid. This is a very good example of where network segmentation can create a stronger security posture and keep these systems up and running all the time.
And if your access points support it, you may want to consider configuring a guest network for your building or your home. This will allow people access to the internet but prevent any type of access to your internal services. So in your pull-down list of wireless devices, you would see that there was a separate wireless network just for guests to be able to use. And you may be able to control this using a passphrase. Or they may have to log in to gain access to that wireless network. The useful part of segmentation here is everyone on this guest network can still access the internet as they normally do. But they would have no access to the internal services that are on the inside of your network.
And we often see segmentation being used with BYOD. This stands for Bring Your Own Device. You may see this also referenced as bring your own technology. This is when you own a mobile device and you bring it into the office to be able to also use it for work purposes. Of course, this device still needs to meet the requirements of the organization so that you have the proper security.
But most of the time, the organization is going to segment that device so that your private information remains private on your phone. But you have a separate segmented area that is specifically for office use. This means a system administrator can still maintain and manage all of the company data, and all of that information remains secure. If you leave the organization, the company’s data can be removed, but all of your data can remain on that mobile device.