Network Segmentation Strategies for Hybrid EnvironmentsNetwork Segmentation Strategies for Hybrid Environments

Most of us remember when computer networks operated in on-premises, corporate environments. Cloud access for enterprise resources was scant, and security breaches were less sophisticated. Best practices were to secure the network at its peripheral endpoints, use monitoring software, perform vulnerability testing, conform to industry security standards and be relatively assured that network security was under control.

In today's hybrid on-premises and in-cloud network environments, this is far from the case. Instead, network managers are tasked with designing and deploying subnetworks within the network that are restricted to specific user ecosystems, such as the following:

These segmented subnetworks can be on premises or in the cloud. They're usually demarcated with routers, switches, firewalls, and security policies and protocols.

The network segmentation market is soaring. According to Maximize Market Research, the North American network segmentation market stood at $9.7 billion in 2023. The firm projects the market to reach more than $17 billion by 2030. At the same time, it's not a simple feat to implement network segmentation. Network managers must address network architectural issues, obtain tools and methodologies, review and enact security policies, practices and protocols, and -- in many cases -- overcome political obstacles.

Related:How Does Network Security Handle AI?

What are the best network segmentation strategies for hybrid network environments that work across on-premises and cloud-based environments?

1. Assess Your Network and Align it with Business Goals

The goal of network segmentation is to place the most mission-critical and sensitive resources and systems under comprehensive security for a finite ecosystem of users. From a business standpoint, it's equally critical to understand the business value of each network asset and to gain support from users and management before segmenting.

Network managers face a tradeoff when segmenting systems: the extra layers of security make accessing the system a more time-consuming process, and users who previously had unlimited access might lose that access. Present this downside to management and users upfront so they can be aware and confirm their support.

2. Identify Business Needs, Set Goals and Define Security Policies

Meet with management and user groups throughout the company to develop a security access framework that categorizes user groups based on which systems they need to access and the permission levels they should receive. Determining which systems require network segmentation, who needs access to them and to what degree forms the bedrock of the security policies for each network segment. Once again, agreement from users and management is paramount.

Related:1Password Study Reveals Four Security Challenges Caused by Unmanaged AI Access

3. Develop a Network Segmentation Architecture

Determine what the network will look like. Will it combine on-premises, cloud and extranet networks, such as an extranet dedicated to third-party communication channels? Design the network segmentation architecture based on business needs, clearly identifying all segments across on-premises, cloud and extranet environments, along with their authorized users.

Divide the network segments logically into security segments based on workload, whether on premises, cloud-based or within an extranet. For example, if the Engineering department requires secure access to its product configuration system, only that team would have access to the network segment that contains the Engineering product configuration system. Define security access permissions and clearances, as approved by users, for each network workload segment.

4. Select Tried-and-True Technologies

Network teams can use in conjunction an array of network technologies at the network, subnetwork, device and endpoint levels to obtain the necessary network segmentation and security.

Related:What is the State of SIEM?

For on-premises networks, zero-trust networks and firewalls are a viable option. These technologies require users to authenticate each time they sign on and can track any network asset that is added, subtracted or changed. Teams can orchestrate zero trust to segment networks and to secure many extranets.

The catch is when sites use cloud-based networking and have users and applications that move between on-premises and cloud-based resources in a hybrid environment. With cloud environments, IP addresses that are fixed in an on-premises network are dynamically provisioned in the cloud. Since zero-trust networks rely on fixed IP addresses, zero trust isn't as effective in cloud environments.

With users moving between cloud-based and on-premises networks in a hybrid networking scenario, vendors now provide firewalls that track and admit users based on assigned metadata and tags that remain constant regardless of which cloud network a user is on. The firewalls verify access permissions from the metadata and tags, so the problem of changing IP addresses in the cloud is eliminated.

A third prong of segmented network security enforcement in hybrid environments is user identity management. Identity and access management (IAM) technology identifies and tracks users at a granular level based on their authorization credentials in on-premises networks but not on the cloud. Cloud infrastructure entitlement management (CIEM) can administer and monitor user identities and access activities at a granular level in the cloud, but only on a summary level on premises. Identity governance and administration can potentially act as an umbrella for both these security technologies, pulling them together so sites can have a 360-degree view of user activities, whether they're in the cloud or on premises.

5. Test and Deploy

Network teams should thoroughly test network segmentations before deployment. This is especially true in hybrid environments with both cloud and on-premises networks, because network teams must often coordinate with cloud vendors.

A good plan is to develop, test and then deploy each network segment separately. Proceed incrementally by testing and deploying only one network segment at a time.

6. Audit and Monitor

When selecting technologies and tools for hybrid network segmentation, a key consideration is to look at the reporting capabilities of the tools. Will the reporting generate the information the company and any auditors need?

Continuously monitor firewalls, intrusion detection systems and access controls. If the company is in an industry with its own security compliance standards -- such as PCI for payment processors or HIPAA for healthcare -- both the security policies and their execution should comply.