Our Use Case PDFs and blog images are only available in German. If you are interested in further information, we are happy to assist you personally. Please don’t hesitate to contact us directly.
Get the PDF for download here: Network segmentation for distributed locations with Akamai Guardicore Segmentation
1. The Initial Situation
The number of successful cyber attacks on German companies is growing. Attackers are no longer limited to local resources, but are extending their attacks to the entire IT landscape. The increasing interconnectedness between devices, tools and users plays into their hands. Many companies lack the necessary security practices to consistently protect their system environments and data across multiple data centers and clouds.
This situation raises the question for many companies as to whether cyber insurance, as offered by many large insurance groups, is sufficient to minimize the risk of an attack.
Can you insure yourself against cyber attacks?
Cyber security insurance against attacks, extortion and data theft initially seems like an appealing idea. Many companies consider this an important step towards prevention. Unfortunately, it is a fallacy that these insurances already represent a risk reduction. Because the decisive factors for the conclusion and the conditions of such a policy are the measures taken by the company itself to protect against possible cyber attacks. The following applies: the more technical measures the company has already implemented, the more advantageous or cost-effective a policy will be. The security recommendations of the insurers include network segmentation.
2. The Use Case
In this specific case, it concerns a company from the automotive trade sector with 17 distributed locations in Germany that is seeking cyber security insurance. In order to comply with the network segmentation requirement, a solution with hardware firewalls was originally to be implemented. However, further planning revealed that the enormously high expenditure of time and practical effort argues against such a solution.
The NetDescribe solution – Akamai Guardicore Segmentation
After just a few but intensive consultations with NetDescribe and a technical deep dive, we were able to convince the customer of network segmentation with Akamai Guardicore Segmentation technology.
Two Main Factors Were Decisive for the Decision: Cost and Time!
Firstly, the software-based solution from Akamai Guardicore was significantly cheaper than the investment in 52 hardware-based firewalls (3 firewalls per location + a backup). Secondly, the project plan for implementing network segmentation was reduced from 12 months to five months.
What is Akamai Guardicore Segmentation?
The Akamai Guardicore Centra platform is a software-based network segmentation solution. It enables comprehensive transparency at the process level, behavior-based policies and real-time detection of security breaches to protect your company’s most important resources. As a result, you get a cost-efficient, fast solution for consistent security – no matter the application, no matter the IT environment.
What does network segmentation mean?
Network segmentation involves dividing your network into small, separate segments (subnetworks). Often, the network is divided into three logical zones: “Trusted Zone, DMZ & Management Zone” in order to isolate them from each other with security controls. It is important that all systems within a zone have similar requirements for protection. The yardstick and pacemaker here is the system that places the highest demands.
What is microsegmentation?
The most effective method of restricting the connection between servers is to segment the network. There are three basic types of network segmentation, with microsegmentation being the approach that companies can use to enforce increasingly granular policies and restrictions.
What types of network segmentation are there?
Environment segmentation
This approach separates different environments from each other. For example, in your company, the development area can be separated from the production environment. This is the first, crucial phase of any segmentation strategy, which is followed by further segmentations.
Application segmentation
This so-called “ring-fencing” separates each specific, critical application from the rest of the network. The best microsegmentation solutions even enable control at the process level.
Process segmentation
The narrowest form of segmentation takes place within an application. Here you can create policies for managing communication between levels within the same application cluster and, for example, control traffic between web, application and database servers.
PLEASE NOTE: NO CYBER INSURANCE WITHOUT SECURING YOUR IT SYSTEMS!
There is great interest in cyber insurance, as new ransomware cases make headlines every day. The desire to cushion the financial damage with insurance is understandable. But the attacks are not the only problem. Many companies are still taking few or inadequate IT security measures and are forgetting elementary basics such as backup/restore, system hardening and network segmentation.
Advantages of software-based network segmentation with Akamai Guardicore Segmentation
- Implementation time 5 months
- Setup of the SaaS platform
- Distribution of the software agent with the existing IT systems (without downtime)
- logical grouping of the assets in the platform
- Segmentation by creating security rules based on the logical grouping of the assets and the collected communication relationships
Network segmentation is therefore the best practice solution for your IT security!
Disadvantages of network segmentation with firewalls
- Implementation time 12 months
- Definition of new networks/segments for all locations
- PreSetup of perimeter firewall and switches
- Integration of the hardware firewall into the existing network at the respective locations (on site or remotely with downtimes)
- Configure new IP addresses for the respective new network segments on the systems (on site or remotely with downtimes)
- Segmentation by creating security rules after all previous steps have been carried out successfully (Ideally, the firewall rules are defined during the pre-setup. However, not all communication relationships are known.)
3. Comparison of hardware- and software-based segmentation
A subsequent network segmentation, with a hardware-based firewall, requires a restructuring of the existing IT infrastructure. This must be planned accordingly and implemented across all required systems. In most cases, this results in a high expenditure of time and effort, which entails downtime of the services provided and, if necessary, a subsequent adjustment to the software.
A subsequent network segmentation, which is implemented with a software-based solution, can take place without interruption during ongoing operation, as the existing IT infrastructure does not have to be changed. Thanks to the software-based approach, the corresponding communication relationships (down to the process and user level) are logged and can then be used to create the segmentation. Regardless of which network (data center, on premises, cloud) the systems are located in.
Get the PDF for download here: Network segmentation for distributed locations with Akamai Guardicore Segmentation
