Use segmentation to plan security boundaries in the workload environment, processes, and team structure to isolate access and function.
Base your segmentation strategy on business needs, like the importance of components, division of labor, privacy concerns, and other factors.
To reduce operational friction, define roles and responsibility clearly. This exercise helps you identify the level of access for each role, especially for important accounts.
Isolation limits exposure of sensitive flows to only roles and assets that need access. Too much exposure can lead to information leaks.
Contoso’s challenge
- In the spirit of simplicity, the team has historically favored low overhead approaches. These approaches have included grouping components and organizing individuals into security groups to simplify access management.
- A QA intern had broad access because of their security group membership. Unfortunately, their account was compromised in a social engineering attack.
- This attack compromised the confidentiality of that deployment and all other deployments on the same application platform.
Applying the approach and outcomes
- Luckily, the compromised environment was just an early test prototype for the new customer loyalty program, so no production systems were affected.
- The security team plans to invest time and money to isolate components that handle personal data, like addresses and emails, from components that don’t, like coupons. They’ll design access controls that are need-to-know and just-in-time (JIT) where possible, and isolate networks within the workload and back into Contoso to protect the organization.
- Segmentation helps contain the impact of a compromise.
Leave a Reply