What is Segmentation in a network?

Segmentation is the concept of restricting traffic between two or more network segments. You might think of it in this way. In a computer network, there are always two or more systems interacting with each other and exchanging information to perform their day-to-day operations. While this is necessary in some cases, there are also instances of unwanted connectivity between two components that do not require this information exchange. Segmentation is the process of restricting such traffic between system components you do not want interacting with each other.

For example, your organization consists of an HR application and a Finance application hosted on separate servers. You deem it unnecessary for HR teams to access finance applications, hence you recognize the need for segmentation restricting both access and data traffic between the two applications.

Segmentation can be achieved with the help of different technologies such as Firewalls, Access Control Lists (ACLs) and Virtual LANs (VLAN).

What is Segmentation in PCI DSS ?

To limit the scope of PCI DSS assessments, segmentation is often put into practice. Only system components having access to payment card data are covered by PCI DSS. Network segmentation can be used to separate system components that handle payment card data from those that don’t in order to narrow the scope. Your Qualified Security Assessor (QSA) can sample systems that specifically deal with cardholder data thanks to this segmentation.

In accordance with PCI DSS, proper access controls must be implemented to enforce separation, in addition to segmentation that denies traffic to systems that are outside of its scope. Such segmentation must also be tested on an annual basis.

Published by: Ankit K J