Keeping pace with growing cyber threats is an uphill battle for Federal agencies as network complexity increases and the boundaries of networks extend to systems and devices not always under the control of their IT organizations.
Most of today’s government networks are built to allow devices to access resources on the network, including devices from branch offices and workers on remote PCs or laptop computers. If not appropriately configured and secured, these devices could open the door for adversaries to compromise other devices on the network.
“Most people would agree that the weakest point in any network environment are the endpoints, particularly, where a human user sits at a keyboard. Humans are the failure-prone component we can’t fix,” said Tom Gilbert, chief technology officer with Blue Ridge Networks, a cybersecurity company that provides autonomous security for interconnected systems.
Organizations often do not have any assurance about the state of remote devices accessing the network, whether they are riddled with malware or have adequate protection. So, even if an employee is logging on with strong authentication, an unmanaged endpoint can be the single weakest link in the entire system, Gilbert noted.
As cybersecurity attacks proliferate across corporate and government networks, network segmentation and access control are becoming standard approaches for addressing the vulnerabilities inherent in today’s connected enterprise. It can be especially helpful for agencies with classified or sensitive data sitting on internal resources, but with connections through the network to uncontrolled endpoints.
Network segmentation is an approach advocated by the National Institute of Standards and Technology’s Cybersecurity Framework (CSF). It involves segmenting the network into smaller network systems and separating groups of systems and networks from each other. Isolating or filtering to limit access between network segments improves security and provides better access control. This method of hardening the wide area network (WAN) and local area network (LAN) is used by the Department of Defense and many government and commercial entities, according to Blue Ridge Networks.
However, network segmentation has had its downsides–it can be complex, costly, and difficult to manage at scale. In fact, network segmentation has traditionally been a complicated and disruptive architecture that has dissuaded many enterprises from adoption, Gilbert said.
To address these issues, Blue Ridge Networks has pioneered an approach and technology the company describes as Autonomous Network Segmentation (ANS). “ANS is a cryptographic approach to segmentation. Rather than monitoring packets based on known threats and pre-determined rules, as traditional security tools do, ANS stresses autonomous cryptographic proof over content dependence, using mandatory public key cryptography to automatically authenticate the identity of each networked system before any data is transferred,” according to the company.
What this means is that before a network packet is decrypted and forwarded to a user, it must provide cryptographic evidence that it originates from a trusted ANS appliance and known closed user group. Then, once it is verified and deployed, connected networks and products will not trust anything else, establishing cryptographically isolated network segments within an organization’s networking environment.
“The network segmentation addresses the need to minimize the potential for lateral attacks within a network. The whole point is our system allows that segmentation to occur all the way down to an endpoint,” Gilbert said. The ANS ecosystem is based on the Zero Trust methodology, which is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
Blue Ridge Networks is working with the U.S. National Guard to allow service members to use their home PCs for computer-based training, reducing the time and expense it would take to travel long distances to a National Guard facility for the training. “We have a way of isolating access to the system using ANS that [helps] eliminate vulnerabilities and save people tremendous amount of time and effort and unnecessary expense to keep up with their training,” Gilbert said.
Thinking Differently About Segmentation
Segmentation can be an effective security tool if done right, according to Brent Bilger, vice president of product management at Vidder, which offers a solution that provides trusted access control across internal, external, and cloud networks.
In a recent whitepaper, Segmentation for Security, Bilger advocates creating “a strong barrier between users and servers that can execute trust-aware policies for controlling access to applications.”
“Trust-aware means the access control system should act based on deep and extensive knowledge about the user, the device being used, its location, and the sanctity of the software on that device,” he continues.
“One might ask if I have such a powerful boundary between my user devices and my servers, do I need to do any traditional network segmentation at all? The answer is probably not in the corporate access network. But traditional network segmentation between servers in the data center can be a useful complement to add a layer of security in the data center,” Bilger writes.
However, not all network segmentation approaches are the same. Blue Ridge Networks recommends an autonomous approach that allows organizations to continue leveraging shared infrastructure to reap the cost benefits without leaving those systems wide open and susceptible to the risks that a shared infrastructure poses. When Federal agencies break up their massive networks into more controllable, segmented sections, security is increased and any successful breach will have its potential damage greatly minimized.