Network Segmentation and Authentication Best Practices

Cybersecurity threats are ubiquitous today. With cybercriminals and hackers devising new ways to break into computer networks and access sensitive data, network segmentation is an effective tool for preventing and minimizing costly data breaches as a result of hackers accessing sensitive information. Network segmentation allows you to focus security resources on those systems directly responsible for security of cardholder data. Network segmentation breaks up networks or systems into smaller units and divides up the flow of traffic between them.

Below, we discuss some important network segmentation and authentication techniques and practices. We also discuss how developers and ISVs can implement them to maximize security for their users and customers. 

What Is Network Segmentation?

Network segmentation definition

Network segmentation is the process of dividing up a network into smaller sections or segments. Effective segmentation separates portions of the network that handle cardholder data from the rest of the corporate network.

Network segmentation divides a network into a group of smaller subnetworks, with only a small subset of the computers on the total network able to participate in each subnetwork. Access to each subnetwork is restricted through passwords or other authentication procedures. This can effectively reduce the scope and complexity of a PCI-DSS assessment.

Why Segment?

Just why is segmentation important, though? What advantages are enjoyed by software companies that segment their networks? Here are just a few of the most salient reasons to adopt this practice:

Improved Security and Containment

A significant benefit of network segmentation is improved security and containment.

Hackers need access to a network to steal information. With complete access to a network, they can harvest private data from that network, plant malware that will infect all devices connected to the network, or worse. If networks are segmented, however, this will severely limit anyone’s ability to access a complete network without authorization.

Segmentation allows you to limit and filter network traffic and to only send it down specific channels. Thus, if any suspicious traffic is detected, the threat it poses can be quickly quarantined to only a specific subnetwork. The traffic will not be allowed to pass from one subnetwork to another without authorization. This ensures that if a breach were to occur in a particular merchant environment, the bad actor would not be able to access the sensitive data within the segmented portion of the network.

Better Access Control

With your network cleanly subdivided, you’ll be able to more easily control who gets access to what. You can design things at your company so that only specific employees have access to one subnetwork while others only have access to another. This will require hackers to learn multiple passwords or authentication keys before they can access your full network.

Improved Monitoring

Network segmentation makes it easier to monitor your network traffic. It is easier to log events, record which connections have been approved or denied, and detect suspicious traffic. Because each subnet is sealed off from the others, you can divide labor among network technicians and assign small teams on them to only monitor traffic going to and from each subnet instead of to and from the whole network. This makes security easier and decreases the likelihood that a threat will be missed.

Improved Performance

If your network is segmented, you’ll have fewer hosts operating per subnet. This minimizes local traffic and strain on the network. Ultimately, this will improve overall network speed and performance.

Best Practices for Network Segmentation

Follow these network segmentation best practices to reap the security benefits:

Educate Your Team

An effective network segmentation strategy depends on the active and informed participation of all your team members. Before you even begin your transition to segmentation, it’s important that your team members be informed of exactly what will be taking place and what their roles and responsibilities will be under the new security arrangement.

Not only should they know what network segmentation is and why it needs to be implemented, but they should also understand basic terminology that relates to the protocol, such as the difference between in-scope and out-of-scope systems and activities.

Being trained to guard against social engineering attacks is important. For example, no one should give out subnet access passwords to people they do not know or can’t directly verify.

Segment Your Network in a Way That’s Logical and That Maximizes Security

You should strive to segment your network in an intuitive and convenient way. However, you should always remember to weigh convenience against the maximization of security, with a bias in favor of security. This is particularly true if your company handles large amounts of cardholder data from paying customers or other kinds of data that absolutely must be kept safe. In such a case, it’s best to devote a separate network segment entirely to cardholder data and to strictly limit communication between that segment and all others. This will maximize security.

Minimize Subnet Intermingling

It’s generally a good policy to strictly assign particular employees only to certain subnets. The number of employees who need to access, handle, and transfer data in or between more than one subnet should be kept to a minimum. The fewer such employees there are, the fewer targets hackers will have from which they can extract ways to access multiple subnets.

Develop a Data Flow Map

Create a visual representation of the flow of cardholder data and other crucial information through your network. This will make monitoring much easier. It will also show those responsible for monitoring what to expect and make it easier for them to catch anomalies.

Choose a Way to Segment Your Network

There are many ways to segment a network, including with firewalls, switches, P2P encryption, an air gap, or a virtual LAN. Firewalls are the most used way, but another method may be more effective in your specific circumstances. Therefore, it’s important to know what your circumstances are and to strive for as much security, efficiency, and convenience as possible.

Network Segmentation and PCI Compliance

Network segmentation is a general security procedure that can be effective in protecting virtually any kind of sensitive information, but for companies that regularly take payment card information from customers, it typically forms an indispensable part of their efforts to comply with PCI standards. Effective network segmentation can drastically reduce the scope and complexity of a PCI-DSS assessment.

PCI DSS, or the Payment Card Industry Data Security Standard, sets out the minimum security standards that must be in place to prevent cardholder data from being compromised. Just as with network segmentation, there are principles of PCI DSS and best practices that stipulate who should have access to what data, when, and under which conditions. Just as the PCI standards make recommendations about how best to keep cardholder data safe, they also warn against things you should not do regarding PCI data storage. In that way, the ideas and principles undergirding both network segmentation in general and PCI compliance can often bleed into one another.

Conclusion

Effective network security is crucial to the proper operation and ultimate success of any ISV. Given the many cyberthreats looming today and the absolute need for companies that handle sensitive customer information to maintain their reputations, proper network security practices simply cannot be overlooked. As effective as network segmentation best practices can be in achieving this, however, implementing them can be difficult and disruptive to your organization. Global Payments Integrated can help you smoothly manage this transformation so that you can focus on pleasing your customers instead.

Contact us today to see the security solutions that we can offer you.

Richard Rohena

Manager of PCI Compliance Services

Richard is the Manager of PCI Compliance Services with Global Payments Integrated, providing developers of credit card payment solutions and merchants with a deep understanding of the Payment Card Industry Data Security Standard (PCI-DSS). He has over 8 years of experience working directly with developers and merchants to implement secure payment solutions in a manner compliant with the PCI-DSS.

View Profile

Richard Rohena