Network segmentation is a hot topic within the UK healthcare sector at the moment – and for good reason. It's vital in helping organisations to deliver security resilience and improve security posture.
Every organisation is impacted by the increasing volume of cyber threats and the potential impact they can have on operations. Most organisations now accept that keeping threats out of the organisation entirely is an unachievable goal, and that security resilience is key – to minimise the impact of an incident and prevent disruption to operations. Network segmentation is fundamental to achieving this goal.
By segmenting devices when they initially connect to the network, we can limit the extent to which any successful cyber attack can spread, thereby typically reducing the impact it can have on the organisation. The threat is contained, as it can’t spread laterally through the network. The greater the extent of the segmentation, the smaller the chances of that attack spreading across the organisation, or even to connected organisations – all of which helps to improve security resilience.
MACRO AND MICRO SEGMENTATION
Network segmentation can be considered at two fundamental levels: macro segmentation and micro segmentation. The macro approach considers segmenting devices by ‘class’, e.g., end-user devices, IoT devices, servers, etc. Micro segmentation, meanwhile, segments groups of devices within each class on a logical basis – e.g., clinicians' laptops, IT laptops, and BYOD phones, all within the end-user device class. Different access rules can then be applied, granting appropriate privileges to the different groups.
The network can typically be configured to segment devices at a macro level using Virtual Routing and Forwarding (VRF), and at a micro level using Virtual Local Area Networks (VLANs). A network access control solution is required to identify the device and user as they attempt to connect, and to ensure they are placed in the appropriate network segment. The access control solution should also support a Zero Trust approach, by authenticating the user and checking the security posture of the connecting device as it attempts to connect. In doing so, we can ensure that vulnerable, compromised, or non-compliant devices are not being granted access to the organisation.
CISCO IDENTITY SERVICES ENGINE
Cisco Identity Services Engine (ISE) is a key component in providing effective segmentation and Zero Trust services, and is widely deployed by NHS Trusts. As well as providing access control and segmentation, ISE identifies and categorises all devices connecting to the network, providing a realtime asset inventory.
Cisco ISE supports compliance with schemes such as DSPT, Cyber Essentials, and the Cyber Assessment Framework – all of which require the network segmentation and access control capabilities that the product is built upon. ISE monitors and controls devices as they join the network, enforcing your policy to ensure compliance and provide broad visibility and control of every device that connects. Integrating ISE with existing security infrastructure – through pxGrid – allows for the isolation or removal of devices which become non-compliant. Integration with medical IoT security services – such as Cylera – provides vulnerability detail, categorisation, and behavioural analysis of medical devices.
We’re conscious that many ISE deployments aren’t utilised as effectively as they can be. Get in touch to discuss how your ISE install can become the cornerstone of your network segmentation and Zero Trust strategy.
JOIN OUR WEBINAR
With a continual increase in connected medical devices and IoT/OT, the cyber security threat to the healthcare sector is also growing. Implementing network segmentation can reduce the impact of a breach, keeping critical clinical systems online and operational. Join ITGL and industry-leading healthcare security vendors, Cisco and Cylera, to discuss the cyber security challenges facing the NHS and how to combat them.
Learn more about how to design, deploy, and maintain effective network segmentation, and secure the assets, data, and services connected to your network.
Webinar: A Healthy Connection: A Zero Trust Approach to Network Segmentation
Date: Thursday 10th October 2023, 11am-12pm
Location: Virtual Webex Meeting
Register: Register your interest here