What is Network Segmentation?
Network segmentation is a method in which a computer network is divided into smaller segments and by this you divide systems and applications from each other. Network segmentation increases protection by restricting access to services for particular groups of people within the enterprise and makes unauthorized access more difficult. In the event of a device compromise, an intruder or an unauthorized person will have access only to resources on the same subnet.
Network Segmentation Best Practices
- Become Familiar with Key Terminology
Always take time to become familiar with some basic and commonly used terminology in network segmentation:
- Assign One Person or Small Group to Tracking Cardholder Data Flows
Every successful project begins with a rock-solid team, and that is what you need for your network segmentation
Always assign one person or a small team of staff members, who can learn all the locations where the cardholder’s data flows through the network. This one individual or the staff becomes responsible to check the overall flow of cardholder data as well as on where and how it is used where used and stored, therefore reducing the scope of the CDE.
- Create a Cardholder Data Flow Map
Build a visual representation of the flow of cardholder data based on the information you collect from employee interviews and your independent study.
- Determine how you want your network to be segmented
Equipped with a clearer understanding of the data sources of your cardholder, you are able to decide the best way to segment your network. The most popular technique used is via a firewall, which includes putting a piece of dedicated hardware between each network zone to restrict network traffic.
Other than firewall there are many other options available to you:
- Air Gap
- Analog Phone Lines
- Virtual LAN
- Point-to-Point Encryption
- Get the Go-Ahead from Your Qualified Security Assessor
At the end of the day, your Competent Security Assessor (QSA) must check that your segmentation approach and results are sufficient to minimise your PCI reach. It also helps to build trust in your approach and results in network segmentation, particularly if you are new to the process.