How organizations can stop planning and start implementing
When you ask organizations whether they segment their network, most say they are “working on it” or “plan to implement micro-segmentation soon.” Ask them 6 months later how it’s going, and you will probably get the same answers.
Why are organizations in perennial planning mode when it comes to micro-segmentation? What is stopping organizations from pulling the trigger? The short answer is – lack of visibility.
Most organizations don’t know what’s on their network – They are struggling to discover and keep track of all the devices that are connecting, which makes it practically impossible to segment their network in any meaningful way. That’s why, despite the fact that micro-segmentation is widely regarded as a best practice, the implementation of segmentation has stalled for many organizations in support of both security and compliance objectives.
There is a way to change the paradigm and take micro-segmentation projects off pause.
It starts with visibility
Once organizations understand – really understand – what’s on their network, they can start to secure it. Unfortunately, most solutions that proclaim to provide visibility, don’t go far or deep enough. They offer generalities, identifying a device is on the network, but not much else. Without knowing exactly what’s connecting (Is it an infusion pump from Phillips or a security camera from ADT?), it’s hard to make any meaningful decisions around how those devices should be protected. As a result, organizations end up with general segmentation policies that segment based on proximity, such as all devices on a floor or in a wing. This really doesn’t add too much to the security of the environment.
To micro-segment the network, based on device type or function, requires insights into the:
- Make and model of the device
- Operating system in use
- Embedded software included
- Communication protocols used
- Exact location of that device
Once a real-time comprehensive, detailed inventory of all the devices connecting to the network is done, organizations can start to make informed decisions around how best to segment them. They may want to group devices by function – e.g. MRI machines, HVAC units, or IV pumps – or by the risk-levels of a device – based on the software it uses or the data it contains (medical records (MR) or personally identifiable information (PII) – to best mitigate or isolate threats.
Micro-segmentation doesn’t have to be so hard
With a comprehensive inventory of all the devices in the environment, organizations can start to create micro-segmentation policies that pre-emptively mitigate and isolate the threats they are facing. Biomed, network and security teams can all start to implement policies that make sense for the entire organization.
Typically, segmentation has been done by network engineers or security advisors, who know their way around networking engineering, but do not know the clinical relevance of all the devices they are trying to protect. They rely on a mix of AAA, PKI, endpoint management, device on-boarding, device classification, and other technologies to try to segment the network, but these quickly become overwhelmingly complex to manage and maintain for dynamic clinical networks. There is talk of using overlay networks as a means of addressing this issue, but many of these technologies are far from proven and have serious scalability concerns.
What organizations need are easy to build micro-segmentation policies that take into account the clinical-relevance of the different devices in the network and don’t require a patchwork of different technologies or an overlay network to enforce.
Medigate makes micro-segmentation easy
Medigate starts by monitoring and fingerprinting all the devices connecting to the network, using sophisticated deep packet inspection (DPI) to comprehensively inventory each device and assess its risk-level. This allows IT, biomed and security teams to know what’s connected, where it’s located, and the security posture associated with each (based on the manufacturer, software versions, protocols, etc.).
Medigate then enables organizations to use their existing infrastructure to implement clinically-relevant segmentation policies that will help them meet their security and compliance requirements. Medigate provides predefined segmentation implementations, based on device type or functionality and best practice standards, to apply security policies that best mitigate their risks.
With Medigate’s templates and workflows, which are based on the deep medical device expertise of Medigate’s research team, organizations can ensure only devices that should be talking to one another can, and everything else is blocked. These policies can be pushed to the organization’s network access control (NAC) solution or firewalls for enforcement to ensure traffic is restricted based on clinical policy.
To learn more or see a demo, please visit medigate.io.