Network Segmentation

in the Data Center

In an era where security and compliance have top priority, a leading company in the financial industry faced the challenge of optimizing its network segmentation within the data center.

The output of a preceding external audit did not deliver clear guidelines, neither from the auditors, nor from project management side. My project team, consisting of experienced external specialists, thus faced a demanding task. The challenge was to meet the security requirements of the audit on the one hand but to integrate existing and new internal processes and policies as well.

While the target design was outlined quickly, the path for the technical implementation still had to be developed. Non-technical requirements were complex as well, including the integration of new parent company specifications, the migration of services within daily business operations, coordination of additional, interfering audit tasks — among other things.

A key employee was close to retirement. Firewalls had to be procured (not knowing the future data throughput). The documentation for the services to be segmented was incomplete and outdated. Finally, almost all of the client’s services were affected. The implementation took place during live operations (brownfield); a redesign (greenfield) was not an option. The complete IT environment remained operational even in non-prod areas. Legacy IT systems not able to be segmented have been discussed intensively to find a solution. At the same time, there were overlaps with other IT migration tasks. Contradictory regulatory requirements demanded a solution. We worked on technical, organisational and personnel challenges while IT systems remained operational all the time.

The project team developed scenarios, then a clear migration path by diligent planning. Initially, only non-productive systems were migrated into the new security zones, while production operations remained undisturbed. Later, also productive systems were secured based on a major network migration cutover. A detailed data analysis was needed to identify migration groups, eminently including communication relationships between services.

Establishing the new security zones was done by implementing the firewalls, as well as by the the migration of services — this way, the project team was able to ensure that all services were operational following the new segmentation guidelines. The migration of services was successfully completed once several hundred migrations were done.