Recent statistics for 2024 indicate that 90 percent of organizations have experienced at least one data breach or cyber incident. Given the growing regulatory scrutiny surrounding cybersecurity, it’s important to implement robust safety measures. One essential practice is data segmentation, which can significantly enhance the protection of client information.
While data segmentation may not be as “glamorous” as some cybersecurity practices, it is a reliable workhouse. “The segmentation of data is a fundamental underlying component of cost-effective and pragmatic cybersecurity,” says Edward Starkie, director of GRC, at a global risk intelligence firm. “Data management is laborious and sometimes viewed as an unattractive component of cyber security, but it is also a part of other disciplines that businesses have in place including compliance and data protection.”
Starkie goes on to say that appropriate segmentation allows access controls to be tailored, encryption to be applied, and even detective controls implemented and focused on high-value or high-risk data.
“When protecting or considering the necessary segmentation of data it is vital to understand the relative criticality of the data. This can be possible when the technology it feeds, and ultimately the business processes that rely on it are understood,” Starkie says, adding, “The criticality of similar data sets can vary from business to business. Hence, a detailed and nuanced understanding is vital. “It is also important to understand whether the importance changes during the year of the business calendar.”
The Goldilocks zone
Like the porridge in the fairy tale, the segmentation needs to be “just right.”
“Don’t assume that over-segmenting will automatically lead to the highest level of security. Striking the right balance is key in segmentation,” says Matthew Franzyshen, Business Development Manager of Ascendant Technologies.
“Doing too much will introduce plenty of unnecessary complexities and barriers that will force your operational teams to navigate multiple access points just to retrieve the data they need,” Franzyshen shares. “This not only creates inefficiencies but also hampers productivity. Mapping your data flows is equally important. Develop clear, accessible data flow diagrams so relevant teams can easily understand where your data resides, how it moves across your network, and who has access to it. This approach helps reduce blind spots and delays.”
Analysis drives success
Greg Sullivan, founding partner of global security services firm CIOSO Global, says that analyzing data is key to any organization’s success.
“Thankfully, there are many approaches and countless tools available to help us organize our data, perform our analyses, and visualize our results,” Sullivan says, adding that from a cybersecurity perspective, these steps must be conducted without (or by minimizing) the replication of data.
“There exists always the temptation to replicate data for the next team or next set of analyses. By replicating data, we are expanding our attack surface area – making our data more readily available for threat actor access and malicious activity,” Sullivan explains, adding that the additional cost of providing an equal level of protection to all copies of the data or keeping the data within a company’s own walls adds up. “The same is true for maintaining obligatory compliance requirements as certain data is replicated across, or outside of, an enterprise,” he concludes.
Tips and strategies for MSPs
Matthen Coston, an independent cybersecurity specialist in Houston, states that segmentation offers a variety of benefits as part of a holistically managed service provider (MSP) cybersecurity package.
Segmented zones isolate and protect high-value assets and data. “It’s just far easier to protect data if it is isolated,” Coston advises.
He also says that a segmented network makes it easier to detect, prevent, and contain malicious traffic, and that multiple firewalls and other protocols will deter threat actors from accessing the OT environment.
Coston also recommends the following segmentation strategies:
- Establish a segmented high-security zone for high-value assets and/or OT systems components.
- Protect access to devices within this zone by using specific firewall access controls.
- Establish a demilitarized zone (DMZ) for work that must be within the high-security zone. Allow only specific devices within the DMZ to connect to high-value assets, and only through specified connections.
- Allow only specific users/devices to connect remotely to devices in this DMZ to access high-value servers.
- Limit data traffic to the IT network with remote access control and, of course, zero trust is a potent weapon.
“Zero Trust Security helps organizations meet compliance standards by enforcing strict access controls and data segmentation,” Coston says.
As cybersecurity threats continue to grow, implementing robust practices like data segmentation is essential for protecting sensitive information. While often overlooked, data segmentation is a crucial tool. It enables tailored access controls, encryption, and detection measures to safeguard high-value data. Striking the right balance in segmentation, ensuring it’s neither too complex nor too lenient, is key to maintaining operational efficiency and security.
Photo: Apops / Shutterstock
