Segmentation a key element of zero-trust security but adoption is slow
A recent report from Akamai highlights the importance of segmentation as a key element of zero-trust security strategies. According to the report, organizations recognize the value of segmentation in advancing zero trust. In fact, when respondents were asked why their organization began a segmentation project, advancing zero trust was the third-most common answer.
Globally, most respondents also expressed a desire to go further and implement microsegmentation, which offers even more granular protection for application workloads. The report found that 89% of respondents consider microsegmentation a high priority, with 34% naming it as their top priority.
However, despite the recognition of the importance of segmentation, the adoption of this security measure has been slow in many businesses. The report revealed that less than a third of organizations have implemented segmentation across more than two critical business areas, such as critical applications, endpoints, and business-critical assets/data, in 2023. Interestingly, 44% of organizations surveyed had already started a network segmentation project two or more years ago, indicating a lack of progress in this area. The main obstacles cited for slow adoption included a lack of skills/expertise for segmentation, increased performance bottlenecks, and compliance requirements.
Despite these challenges, the report did provide some positive news. It showed that overall segmentation rates are gradually increasing. From 2021 to 2023, the percentage of organizations with segmented business-critical applications/data rose by 12%, and the percentage with segmented servers increased by 8%.
To better understand the importance and potential impact of network segmentation, CSO spoke to Fernando Montenegro, a senior principal analyst at Omdia. Montenegro emphasized that network segmentation is ultimately the essence of zero-trust enforcement. In a zero-trust environment, only allowed connections are permitted, and everything else is denied. While he acknowledged that the in-the-wire reality is more complex than this conceptual representation, Montenegro stressed that network segmentation is a crucial part of zero trust.
Montenegro also highlighted the effectiveness of segmentation, especially in combating ransomware threats. By limiting the lateral movement of attackers within a network, segmentation can help mitigate the impact of ransomware attacks. However, Montenegro acknowledged that determined attackers may still find ways to subvert internal systems, such as stealing user accounts and elevating privileges. In these scenarios, the value of network segmentation may be diminished, although it still offers some level of protection.
For organizations looking to implement segmentation or micro-segmentation effectively, Montenegro advised starting with a keen understanding of key organizational processes and data assets. Instead of approaching the task with a mindset of simply segmenting networks, it is important to focus on controlling access to critical data. This approach will then inform the broader network architecture necessary to protect those key assets.
In conclusion, while segmentation is recognized as a key element of zero-trust security, its adoption has been slow. Organizations face various challenges, including a lack of skills, performance bottlenecks, and compliance requirements. However, the gradual increase in segmentation rates and the clear benefits it offers in combatting Ransomware highlight the importance of prioritizing and advancing segmentation strategies. It is crucial for organizations to understand their unique organizational processes and data assets to effectively implement segmentation and achieve a more robust zero-trust security posture.