‘Tried and True’ Network Segmentation Can Come to the Rescue

Corporate networks are key to modern business. In fact, the enterprise risks associated with cyber breaches—financial, operational, and reputational—that came into sharp focus last year showed just how crucial modern digital networks are. It’s important, therefore, that senior management and board members understand the value of what Deloitte calls a “tried and true” technique—network segmentation—to enhance the security of corporate networks, thus significantly lowering enterprise cyber risk. According to the joint Deloitte/Palo Alto Networks’ recent Cybersecurity Fortification Initiative white paper, network segmentation offers several benefits, though it might also bring with it new kinds of risk to consider.

What is network segmentation? The idea is to partition computer networks into subnetworks in order to help prevent cyber threats from spreading. If a data breach on a segmented network occurs, the attack will be contained to that localized subnetwork. This inhibits the threat from accessing other parts of the network.

What are the benefits? Historically, cybersecurity tools were made as defensive walls—to protect the perimeter, keeping undesirable traffic out. But with the rise of more sophisticated hacking techniques, cyber attackers can easily get inside. Network segmentation can help mitigate the scope of these attacks by containing threats, reducing exposure of critical data. In addition, network segmentation can block the transfer of malware from end user systems to more sensitive core systems. It can also minimize the time and effort associated with audits, since the compartmentalization of networks can help keep related resources organized.

What are the risks? The primary risk from network segmentation comes from a complicated and often lengthy implementation process. Networks are often complex, making it a challenge for businesses to introduce internal segmentation. For example, any amount of incomplete or incorrect information present when setting up partitions could severely disrupt traffic—a potential cost most businesses would prefer to avoid. In addition, the process requires simultaneous cooperation from multiple stakeholders, which can be difficult to achieve. Network segmentation also typically calls for updates in security policies due to changes in the network’s infrastructure. Finally, network segmentation calls for ongoing management, meaning an increase in capital and operating expenses.

How to make the switch work for you? To make the transition most efficiently, it is key to build a diverse team of business owners, network architects, IT security personnel, and application architects to implement the process. Next, get familiar with the basic steps of the process: identifying the way information flows in the business, build the segmented network based on the flow of information, create updated security policies, incorporate any necessary security capabilities, and then be prepared to continuously monitor and update the network.

Start by focusing on practical approaches instead of tackling a complete overhaul at the get-go. For example, begin with small, low-risk segmentation to see how it works. Then start prioritizing which data to segment, such as separating the main data center from the areas of the network where end-users reside.


Implementing network segmentation is a complex affair that will ultimately change your business processes and IT systems and processes in ways that effectively reduce enterprise risk from cyber incidents. It may be a major undertaking to introduce segmentation, but with the increase of sophisticated cyber criminals, the benefits outweigh the costs. Network segmentation adds a thick layer of interior defense to the outside wall, and helps protect businesses from being completely exposed, even after a security breach. Being sure to implement the process in a steady, strategic way, and starting from a small pilot, can help ease the burden of transition. View the white paper here, registration is not required.