Flat is trendy. Flat rates, flat hierarchies, flat iron steaks and even a flat earth, but a flat network? That is a real no-go nowadays and already for a long time. Anyone in the business of enterprise network design knows by that a flat network design is just begging for trouble at many levels and layers.
As IT professionals, we learn this early in our training and propagate this concept throughout most of our IT careers, that we need to segment everything to the extent possible to control traffic types, traffic flows, increase security, decrease downtime. I abided by this doctrine too, for many years and can truly attest to this strategy and all of it benefits- in an IT world.
What about OT- Operation Technology? Yes, believe it or not, we still encounter small and even mid-size companies along the way that deploy or maintain a flat network design concept and accept that the work it takes to turn a large flat network into a hierarchical network with proper segmentation is either unnecessary or too cumbersome and time consuming to undertake.
I absolutely agree with every one-vlan-wonder in the world, that the work of re-ip addressing is anything other than fun and with the pile of daily duties and pressures that administrators today face, the idea can be downright daunting if the network is large enough, but is it necessary? Absolutely. I remember giving a talk many years ago to an audience about SIEM where the audience raised some eyebrows and some questions as I discussed defense-in-depth network architecture. For many attendees, it was a new term and a new concept. I guess for me at the time, it was all about limiting the reach and the pivot capabilities of an attacker by deploying sensible network segmentation, security devices and activity monitoring. That was 2010.
Today, although the number and the sophistication of attacks has grown exponentially, the goal of an attack remains. The attacker or malware gets in, looks for ways to spread and/or expand privileges, gain access to an important system, pivot and harm or exfiltrate sensitive information. So how do we protect against this? Well, as one contact recently found out, in today’s world, maybe we do or maybe we don’t.
The best way to position on this question is to have the proper resiliency plan in place. This starts with a solid network design that minimizes your exposure and creates monitoring points at as many areas within the network as possible. Then we add the right security technologies, good monitoring and data-collection tools. This will go a long way towards achieving your desired level of resiliency, but that is just the start. An ongoing commitment to disaster recovery exercises, regular process reviews and a well-trained staff will be the key to the plan’s continued success.
To help you get started in evaluating the maturing of your company’s resiliency program there are a lot of questions that need to be answered. Here are just a few to get you going. How quickly do you think your company can recover after an attack? What restore points do your backups provide you? How do you protect your data at rest? How do you manage your keys, your passwords etc.? Would your employees know how to handle a critical data breach? Would they know when one is occurring and how to contain it? Is your network architecture up to the task?
Start asking these questions and others today. Periodically review them with your teams. Question your security processes from the ground up and measure maturity in any process you develop. Time pressures and requirements can result in situations that aren’t healthy for your infrastructure. We all know about the temporary fix, or the minimal risk that seems to resist every corrective measure. Don’t accept “Tech-debt” as an evolutionary process. Don’t assume anything and above all, ensure that you don’t end up flat on your back if a data breach occurs.