Caroline Paddle, Director, Skybox Security

Banks must learn to secure the data residing on their IT systems through network segmentation if they want to maximise security and stay accountable to regulators.

This is the view of Caroline Paddle, Director, Skybox Security. She has argued that by ringfencing different parts of a banking business, for example segmenting the networks used by a bank’s retail and investment divisions, it becomes much harder for a hacker to perpetrate an attack throughout an entire network. Employees, she said, are often cited as the weakest link in security, and with effective network segmentation it is possible for IT departments to restrict the access of an individual or server only to required parts of the network, meaning any attack, intentional or accidental, from a member of staff is far easier to contain.

“Creating these lines of demarcation can also have tangible business benefits when it comes to mergers or divestments of business units,” added Paddle. “Despite its clear benefits and the risk of crippling fines from poor data management, some organisations aren’t proactively undertaking network segmentation.”
She identified certain factors which may be holding them back: “There is often the perception that network segmentation will introduce barriers to interdepartmental communication, but this shouldn’t be the case,” she concluded. “To make sure the necessary communication flows are in place, organisations should utilise network modelling tools so they can be confident that their access controls are correctly configured and communication flows are watertight. For a large enterprise, undertaking network segmentation can be a lengthy and manually intensive process. They might not necessarily have the skills or resources for this. Automated security monitoring and analysis tools can greatly help overcome this. And organisations often look at network segmentation in the wrong way. Of course, high level direction should come from CISO, but security and networks teams need to work in tandem. By taking a holistic approach to network segmentation, businesses can eliminate internal silos.”

She said virtualisation and Software Defined Networking afford greater opportunities for granularity of access controls. However, this can be a double-edged sword, she believed, as it can also increase complexity and makes it harder for network and security teams to determine network access paths: “It’s necessary to have tooling that provides visibility across the full spectrum of the organisation’s infrastructure, whether data centre or cloud, physical or virtual,” she said.

by Guy Matthews