Posted on : June 3, 2025 By Tech World Times Technology  Rate this post This article walks you through five practical steps to implement network segmentation effectively, backed by real-world use cases that showcase its value in different industries. Networks are constantly expanding across offices, cloud services, remote users, and connected devices. With so many moving parts, security gaps can easily form. Once attackers breach a weak point, they often move freely across the network, targeting critical systems and sensitive data. That’s where network segmentation comes in. It’s a practical approach to divide your network into smaller, manageable zones to control access, limit exposure, and isolate threats before they spread. But simply deploying VLANs or access rules isn’t enough. True segmentation needs planning, alignment with your business, and the right mix of technology. Step 1: Assess and Map Your Current Network Start by figuring out what’s on your network and how it communicates. Inventory Devices and Applications: List all system servers, user machines, IoT devices, cloud assets. Map Data Flows: Understand how applications and services interact. Which systems talk to each other? What ports and protocols are used? Identify Critical Assets: Highlight the systems that handle sensitive data, such as payment processing, health records, or intellectual property. Tip: Network discovery tools or NAC solutions can automate asset inventory and reveal communication paths you might miss. Step 2: Define Segmentation Goals and Policies Once you understand your environment, it’s time to set your objectives. Security Objectives: Do you want to reduce lateral movement, isolate sensitive systems, or meet a compliance mandate? Business Alignment: Segment by business unit, sensitivity of data, or risk profile-whatever makes the most operational sense. Compliance Requirements: PCI DSS, HIPAA, and other standards often require network segmentation. Example: A healthcare provider might create separate zones for patient records, lab equipment, guest Wi-Fi, and billing systems. Step 3: Choose the Right Segmentation Method Segmentation can be done in several ways. The right approach depends on your infrastructure goals and types: a. Physical Segmentation Use separate routers, switches, and cables. This offers strong isolation but can be costly and harder to scale. b. Logical Segmentation (VLANs/Subnets) Group devices into virtual segments based on function or department. It’s efficient and easier to manage in most environments. c. Micro segmentation Control access at the workload or application level using software-defined policies. Ideal for cloud or virtualized environments where you need granular control. d. Cloud Segmentation In the cloud, segmentation happens using security groups, VPCs, and IAM roles to isolate workloads and define access rules. Use a combination- VLANs for broader segmentation and micro segmentation for finer control where it matters. Step 4: Implement Controls and Monitor Traffic Time to put those policies into action. Firewalls and ACLs: Use access controls to manage what can move between zones. Block anything that isn’t explicitly allowed. Zero Trust Principles: Never assume trust between segments. Always validate identity and permissions. Monitoring and Alerts: Use your SIEM, flow monitoring tools, or NDR platform to watch for unusual traffic or policy violations. Common Pitfall: Avoid “allow all” rules between segments, it defeats the purpose. Step 5: Test, Validate, and Fine-Tune Even a well-designed segmentation plan can have gaps. Regular validation helps ensure it works as expected. Penetration Testing: Simulate attacks to check if boundaries hold. Review Policies: Business needs to change your segmentation strategy too. Performance Monitoring: Make sure segmentation doesn’t impact legitimate operations or application performance. Automation tools can help simplify this process and ensure consistency. Real-World Use Cases of Network Segmentation 1. Healthcare – Protecting Patient Data and Devices Hospitals use segmentation to keep medical devices, patient records, and visitor Wi-Fi on separate zones. This prevents an infected guest device from interfering with critical systems. Result: Reduced attack surface and HIPAA compliance. 2. Manufacturing – Isolating Industrial Systems Production environments often have fragile legacy systems. Segmenting OT (Operational Technology) from IT ensures ransomware or malware doesn’t disrupt manufacturing lines. Result: More uptime and fewer operational risks. 3. Finance – Securing Payment Systems Banks and payment providers use segmentation to isolate cardholder data environments (CDE) from the rest of the corporate network. This helps meet PCI DSS and keeps sensitive data protected. Result: Easier audits and stronger data security. 4. Education – Managing High-Volume BYOD Traffic Universities segment student Wi-Fi, research labs, and administrative systems. This keeps a vulnerable student device from spreading malware to faculty or internal systems. Result: Safer environment for open access campuses. 5. Cloud – Segmenting Apps and Microservices In the cloud, developers use security groups, VPCs, and IAM roles to isolate applications and limit who can access what. This reduces risk if one workload is compromised. Result: Controlled access and better cloud hygiene. Common Challenges Legacy Tech: Older devices may not support modern segmentation. Lack of Visibility: Hard to secure what you don’t know exists. Operational Hiccups: Poorly planned segmentation can block business workflows. Policy Complexity: Keeping access rules up to date across dynamic environments takes effort. Best Practices Start with High-Risk Areas: Prioritize zones handling sensitive data or vulnerable systems. Keep Documentation Updated: Maintain clear diagrams and policy records. Align Teams: Get buy-in from IT, security, and business units. Automate Where You Can: Especially for monitoring and policy enforcement. Review Regularly: Networks evolve- so should your segmentation. Final Thoughts Segmentation isn’t about creating walls it’s about building smart pathways. Done right, it helps you take control of your network, reduce risk, and respond faster when something goes wrong. It’s a foundational layer of cybersecurity that pays off in resilience, compliance, and peace of mind. About the Author: Prajwal Gowda is a cybersecurity expert with 10+ years of experience. He has built businesses and was a Business Unit Head for Compliance and Testing services. Currently, he is the Chief Technology Officer at Ampcus Cyber, leading the company’s technology strategy and innovation efforts. He has also been involved in the Payment Card Industry, Software Security Framework, ISO 27001 Controls Gap Analysis, ISMS, Risk Analysis, OCTAVE, ISO 27005, Information Security Audit and Network Security. Prajwal is a Master Trainer who has conducted 100+ cybersecurity training sessions worldwide. Tech World TimesTech World Times (TWT), a global collective focusing on the latest tech news and trends in blockchain, Fintech, Development & Testing, AI and Startups. If you are looking for the guest post then contact at techworldtimes@gmail.com

Hard as it is to believe, there was a time when using any personal technology at work was such a radical concept that most people wouldn’t even consider it an option. IT departments went to great lengths to prevent workers from using their own devices, computers, apps/subscriptions, email, and cloud services. The release of the iPhone in 2007 began to change that. Suddenly people were discovering that the smartphone they bought for their personal use could make them more efficient and productive at work as well. But it was Apple’s launch of its mobile device management framework in 2010 that truly created the bring your own device movement. MDM meant that users could bring their personal devices to work, and IT departments could secure those devices as needed. Almost instantly, BYOD was something that companies began to support in industries across the board. Fifteen years later, BYOD is fully mainstream, and a majority of businesses actively support it. But advances in technology, changing user expectations, and the fallout from Covid’s remote work mandates (and subsequent return to office mandates) have shifted the landscape, sometimes without being overtly visible. With that in mind, I decided to reexamine the assumptions and realities of BYOD and see what has and hasn’t changed in the past decade and a half. BYOD is everywhere but device management isn’t The exact numbers on BYOD adoption vary depending on the source you look to and how it’s being measured. A 2022 paper from HPE claims that 90% of employees use a mix of work and personal devices on the job, while Cybersecurity Insiders says that 82% of organizations have a BYOD program. However you look at it, BYOD is now massively entrenched in our work culture and extends beyond just employees and managers. According to data from Samsung (cited by JumpCloud), 61% of organizations support BYOD for non-employees including contractors, partners, and suppliers to varying degrees. But overtly or tacitly accepting BYOD doesn’t mean that companies actively manage BYOD devices. Cybersecurity Insiders data (also via JumpCloud) also indicates that as many as 70% of BYOD devices used in the workplace aren’t managed — a number that may seem shocking, but that figure includes personal devices used by non-employees such as contractors. About those cost savings… In the early days, there was an assumption that BYOD would lower hardware and service costs, but that wasn’t certain. Today there’s data. In the early 2010s, Cisco estimated a $900+ annual savings per employee, though more recent data from Samsung (cited by JumpCloud) pegs the savings as significantly lower at $341. Despite that disparity, it’s obvious that there are savings to be had, and with significantly climbing smartphone prices, those savings are is poised to grow rather than shrink. Of course, the cost of managing devices needs to be factored in. That cost can vary widely depending on the vendor, specific products, and adopted features, but some MDM vendors charge as little as $1 per user per month (not including staff resources). The cost of providing employees company-purchased apps is also worth noting, though that falls more in line with traditional software procurement. Productivity gains are real, but so are distractions The data is clear that there can be significant gains in productivity attached to BYOD. Samsung estimates that workers using their own devices can gain about an hour of productive worktime per day and Cybersecurity Insiders says that 68% of businesses see some degree of productivity increases. Although the gains are significant, personal devices can also distract workers more than company-owned devices, with personal notifications, social media accounts, news, and games being the major time-sink culprits. This has the potential to be a real issue, as these apps can become addictive and their use compulsive. Tools of the trade When I think back to the first five to ten years after Apple introduced MDM, it reminds me of the later stages of the birth of the solar system, with dozens of companies offering discrete tools that solved part of the mobility and BYOD puzzle, many colliding into each other or being flung out of existence. Some focused on just supporting the MDM server spec sheet, others on cloud storage, securing and managing access to corporate content, corporate app purchasing and management, secure connectivity, user and identity management, Office alternatives (Microsoft waited nearly five years releasing an iOS version of Office), and more. Along the way, major enterprise vendors began dominating the market, some by acquisition and others by building out existing capabilities, although there were also businesses that came out of mergers of some of the new players as well. As the market matured, it became easy to pick a single vendor to provide all enterprise mobility and BYOD needs rather than relying on multiple companies focusing on one particular requirement. Multiplatform support has morphed into something very different The iPhone was the clear early standard for supporting personal devices at work, in part because the hardware, operating system, and MDM mechanics were all created by a single vendor. Going multiplatform was typically assumed to mean iOS and Android — and Android was a fragmented mess of different hardware makers with sometimes widely varying devices and customized Android variants (built to spec by the manufacturers and the demands of wireless carriers) that resulted in no coherent OS update strategy. The gap in management capabilities has narrowed significantly since then, with Google taking a much more active role in courting and supporting enterprise customers and providing a clear and coherent enterprise strategy across a wide swath of major Android phone makers and other vendors. But that isn’t the only massive shift in what it means to be multiplatform. Today the personal devices used in the workplace (and able to be managed using MDM) include non-phone entries including Macs, Apple TVs, Chromebooks, and Windows PCs — with Macs and PCs making up a significant number of BYOD devices. Most MDM suites support this full range of devices to one degree or another, but support costs can rise as more and more platforms (and thus complexity) are implemented — and those costs vary by platform, with general agreement that Apple devices provide the greatest savings when it comes to technical support. How Covid changed the BYOD equation I’m pretty sure that in 2010, not one person on the planet was predicting a global pandemic that would lead to the vast majority of knowledge workers working from home within a decade. Yet, as we all remember, that’s exactly what happened. The need to work from home encouraged broader adoption of personal devices as well as ancillary technologies ranging from peripherals/accessories to connectivity. Despite a litany of return-to-office mandates in recent years, remote work is here to stay, whether that’s full-time, hybrid, or just working outside traditional office hours or location. Samsung notes that 61% of businesses expect employees to work remotely to some degree, while Robert Half reports that only 61% of new job postings in 2024 had full in-office requirements. And data from WFH Research shows that at the start of 2025, employees are working remotely 28% of the time. Passing support to new generations One challenge for BYOD has always been user support and education. With two generations of digital natives now comprsing more than half the workforce, support and education needs have changed. Both millennials and Gen Z have grown up with the internet and mobile devices, which makes them more comfortable making technology decisions and troubleshooting problems than baby boomers and Gen X. This doesn’t mean that they don’t need tech support, but they do tend to need less hand-holding and don’t instinctively reach for the phone to access that support. Thus, there’s an ongoing shift to self-support resources and other, less time-intensive, models with text chat being the most common — be it with a person or a bot. They also have different expectations in areas like privacy, processes and policies, and work-life balance. Those expectations make it more important for companies to delineate their BYOD and other tech policies as well as to explain the rationale for them. This means that user education remains important, particularly in a rapidly changing landscape. It also means that policies should be communicated in more concise and easily digestible forms than large monolithic pages of legalese. Users actually want to update (and repair or replace) their devices Twenty years ago, the idea of updating workplace technology was typically met with a groan from users who didn’t appreciate downtime or changes in the way things looked and worked. Even as BYOD gained traction, getting users to update their devices wasn’t always easy and required a certain amount of prompting or policing. While resistance to change will never truly die out, most smartphone (and other device) users actively update on their own because of the new features that come with OS updates and new hardware. Upgrades are something to get excited about. BYOD users also tend to be more careful with their devices just because they are their own devices. Likewise, they’re more on point with repairs or replacements and are keen to handle those issues on their own. Security is ever evolving Security has always been (and always will be) a major concern when it comes to BYOD, and the threats will always be evolving. The biggest concerns stem from user behavior, with users losing devices being one big concern. Verizon reports that more than 90% of security incidents involving lost or stolen devices resulted in an unauthorized data breach, and 42% involved the leaking of internal data. Another big concern is users falling prey to malicious actors: falling for phishing schemes, downloading malware, allowing corporate data to be placed in public spaces, or letting others use their devices. Devices themselves can be major targets, with attacks coming from different directions like public Wi-Fi, malicious apps or apps that are not designed to safeguard data properly, OS and network vulnerabilities, and so on. Supporting infrastructure can also be a weak point. These threats are real. Research by JumpCloud indicates that 20% of businesses have seen malware as a result of unmanaged devices, and nearly half aren’t able to tell if unmanaged devices have compromised their security. Cybersecurity Insiders research shows a similar statistic of 22%, while also noting that 22% of BYOD devices have connected to malicious wireless networks. Shadow IT will always exist Shadow IT is a phenomenon that has existed for decades but grew rapidly alongside BYOD, when users began leveraging their personal devices, apps, and services for work without IT’s involvement, knowledge, or consent. Almost every company has some degree of shadow IT, and thus unmanaged devices or other technologies. Organizations need to educate users (even digital natives) about security and keeping their devices safe. They also need to engage users involved in shadow IT and make allies out of them, because shadow IT often stems from unmet technological needs. Then there’s the trust component. Many users remain uncomfortable letting IT manage their devices, because they don’t understand what IT will be able to see on them. This is a user education problem that all companies need to address clearly and unequivocally. Still the same goals Although much has changed about BYOD, the basic goal remains the same: allowing workers to use the devices and other tools they are comfortable with and already own… and are likely to use whether sanctioned to or not.

May 16, 2025The Hacker NewsZero Trust / Data Protection Data is the lifeblood of productivity, and protecting sensitive data is more critical than ever. With cyber threats evolving rapidly and data privacy regulations tightening, organizations must stay vigilant and proactive to safeguard their most valuable assets. But how do you build an effective data protection framework? In this article, we'll explore data protection best practices from meeting compliance requirements to streamlining day-to-day operations. Whether you're securing a small business or a large enterprise, these top strategies will help you build a strong defense against breaches and keep your sensitive data safe. 1. Define your data goals When tackling any data protection project, the first step is always to understand the outcome you want. First, understand what data you need to protect. Identify your crown jewel data, and where you THINK it lives. (It's probably more distributed than you expect, but this is a key step to help you define your protection focus.) Work with business owners to find any data outside the typical scope that you need to secure. This is all to answer the question: "What data would hurt the company if it were breached?" Second, work with the C-suit and board of directors to define what your data protection program will look like. Understand your budget, your risk tolerance to data loss, and what resources you have (or may need). Define how aggressive your protection program will be so you can balance risk and productivity. All organizations need to strike a balance between the two. 2. Automate data classification Next, begin your data classification journey—that is, find your data and catalog it. This is often the most difficult step in the journey, as organizations create new data all the time. Your first instinct may be to try to keep up with all your data, but this may be a fool's errand. The key to success is to have classification capabilities everywhere data moves (endpoint, inline, cloud), and rely on your DLP policy to jump in when risk arises. (More on this later.) Automation in data classification is becoming a lifesaver thanks to the power of AI. AI-powered classification can be faster and more accurate than traditional ways of classifying data with DLP. Ensure any solution you are evaluating can use AI to instantly uncover and discover data without human input. 3. Focus on zero trust security for access control Adopting a zero trust architecture is crucial for modern data protection strategies to be effective. Based on the maxim "never trust, always verify," zero trust assumes security threats can come from inside or outside your network. Every access request is authenticated and authorized, greatly reducing the risk of unauthorized access and data breaches. Look for a zero trust solution that emphasizes the importance of least-privileged access control between users and apps. With this approach, users never access the network, reducing the ability for threats to move laterally and propagate to other entities and data on the network. The principle of least privilege ensures that users have only the access they need for their roles, reducing the attack surface. 4. Centralize DLP for consistent alerting Data loss prevention (DLP) technology is the core of any data protection program. That said, keep in mind that DLP is only a subset of a larger data protection solution. DLP enables the classification of data (along with AI) to ensure you can accurately find sensitive data. Ensure your DLP engine can consistently alert correctly on the same piece of data across devices, networks, and clouds. The best way to ensure this is to embrace a centralized DLP engine that can cover all channels at once. Avoid point products that bring their own DLP engine (endpoint, network, CASB), as this can lead to multiple alerts on one piece of moving data, slowing down incident management and response. Look to embrace Gartner's security service edge approach, which delivers DLP from a centralized cloud service. Focus on vendors that support the most channels so that, as your program grows, you can easily add protection across devices, inline, and cloud. 5. Ensure blocking across key loss channels Once you have a centralized DLP, focus on the most important data loss channels to your organization. (You'll need to add more channels as you grow, so ensure your platform can accommodate all of them and grow with you.) The most important channels can vary, but every organization focuses on certain common ones: Web/Email: The most common ways users accidentally send sensitive data outside the organization. SaaS data (CASB): Another common loss vector, as users can easily share data externally. Endpoint: A key focus for many organizations looking to lock down USB, printing, and network shares. Unmanaged devices/BYOD: If you have a large BYOD footprint, browser isolation is an innovative way to secure data headed to these devices without an agent or VDI. Devices are placed in an isolated browser, which enforces DLP inspection and prevents cut, paste, download, or print. (More on this later.) SaaS posture control (SSPM/supply chain): SaaS platforms like Microsoft 365 can often be misconfigured. Continuously scanning for gaps and risky third-party integrations is key to minimizing data breaches. IaaS posture control (DSPM): Most companies have a lot of sensitive data across AWS, Azure, or Google Cloud. Finding it all, and closing risky misconfigurations that expose it, is the driver behind data security posture management (DSPM). 6. Understand and maintain compliance Getting a handle on compliance is a key step for great data protection. You may need to keep up with many different regulations, depending on your industry (GDPR, PCI DSS, HIPAA, etc.). These rules are there to make sure personal data is safe and organizations are handling it the right way. Stay informed on the latest mandates to avoid fines and protect your brand, all while building trust with your customers and partners. To keep on top of compliance, strong data governance practices are a must. This means regular security audits, keeping good records, and making sure your team is well-trained. Embrace technological approaches that help drive better compliance, such as data encryption and monitoring tools. By making compliance part of your routine, you can stay ahead of risks and ensure your data protection is both effective and in line with requirements. 7. Strategize for BYOD Although not a concern for every organization, unmanaged devices present a unique challenge for data protection. Your organization doesn't own or have agents on these devices, so you can't ensure their security posture or patch level, wipe them remotely, and so on. Yet their users (like partners or contractors) often have legitimate reasons to access your critical data. You don't want sensitive data to land on a BYOD endpoint and vanish from your sight. Until now, solutions to secure BYOD have revolved around CASB reverse proxies (problematic) and VDI approaches (expensive). Browser isolation provides an effective and eloquent way to secure data without the cost and complexity of those approaches. By placing BYOD endpoints in an isolated browser (part of the security service edge), you can enforce great data protection without an endpoint agent. Data is streamed to the device as pixels, allowing interaction with the data but preventing download and cut/paste. You can also apply DLP inspection to the session and data based on your policy. 8. Control your cloud posture with SSPM and DSPM Cloud posture is one of the most commonly overlooked aspects of data hygiene. SaaS platforms and public clouds have many settings that DevOps teams without security expertise can easily overlook. The resulting misconfigurations can lead to dangerous gaps that expose sensitive data. Many of the largest data breaches in history have happened because such gaps let adversaries walk right in. SaaS security posture management (SSPM) and data security posture management (DSPM for IaaS) are designed to uncover and help remediate these risks. By leveraging API access, SSPM and DSPM can continuously scan your cloud deployment, locate sensitive data, identify misconfigurations, and remediate exposures. Some SSPM approaches also feature integrated compliance with frameworks like NIST, ISO, and SOC 2. 9. Don't forget about data security training Data security training is often where data protection programs fall apart. If users don't understand or support your data protection goals, dissent can build across your teams and derail your program. Spend time building a training program that highlights your objectives and the value data protection will bring the organization. Ensure upper management supports and sponsors your data security training initiatives. Some solutions offer built-in user coaching with incident management workflows. This valuable feature allows you to notify users about incidents via Slack or email for justification, education, and policy adjustment if needed. Involving users in their incidents helps promote awareness of data protection practices as well as how to identify and safely handle sensitive content. 10. Automate incident management and workflows Lastly, no data protection program would be complete without day-to-day operations. Ensuring your team can efficiently manage and quickly respond to incidents is critical. One way to ensure streamlined processes is to embrace a solution that enables workflow automation. Designed to automate common incident management and response tasks, this feature can be a lifesaver for IT teams. By saving time and money while improving response times, IT teams can do more with less. Look for solutions that have a strong workflow automation offering integrated into the SSE to make incident management efficient and centralized. Bringing it all together Data protection is not a one-time project; it's an ongoing commitment. Staying informed of data protection best practices will help you build a resilient defense against evolving threats and ensure your organization's long-term success. Remember: investing in data protection is not just about mitigating risks and preventing data breaches. It's also about building trust, maintaining your reputation, and unlocking new opportunities for growth. Learn more at zscaler.com/security Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    