“DON’T PANIC!” – DORA & Network Segmentation – Jan 20, 2025

Welcome back! By the time you read this article, the DORA legislation will be live and in place – however, stealing the words from The Hitchhiker’s Guide to the Galaxy“DON’T PANIC!”

If you haven’t finished implementing your DORA adherence, or you are in the roadmap phase or have some gaps to address – keep going!

So – let’s get into the thorny subject of network segmentation and some of the other associated network discussion topics that surround DORA.

 

DON’T PANIC!

First (and back to the DON’T PANIC) – if you are reading this article thinking that the rest of the world has a perfect answer to all DORA requests around network segmentation and you are the only organisation that does not – it’s simply not the case. Stating the obvious, the last 30 years have been spent busily building networks that allow everything to communicate with everything, and now we’re busily trying to reverse that based on legislation. Many of today’s large organisations have open (essentially flat) internal networks, and now we need to find ways of limiting exposure and blast radius for our critical services.

Secondly, the amount of DORA-washing of products and services happening right now is off the scale. Lots of “install this and you will be compliant” claims – well, it’s simply not the case. So, second statement of the obvious: don’t believe all the vendor hype and steer clear of the FUD!

 

What Does the Regulation Ask For?

  • Network Segmentation: Critical services must be segmented at the network/data flow level to ensure they can be isolated and prevent lateral movement if something “bad” happens.
  • Performance, Capacity & Architecture: Your network architecture must be known and understood, with appropriate capacity management in place.
  • Isolation Capability: In the event of a “bad thing,” you must have the ability to isolate critical services to stop the spread. This can be done manually or through automation as your services mature.
  • Control Plane Isolation: The administrative plane that handles functions like configuration, monitoring, and management of network devices must be isolated from the networks carrying production data and flows.

 

What Needs to Be Segmented?

This ties back to the concept of CIFs (Critical and Important Functions). Protecting and segmenting CIFs is central to DORA compliance. As mentioned in Articles 1 and 2, CIFs need to be identified and mapped so they can be isolated into their own network “buckets.” The goal is to limit the blast radius, lateral movement, and potential spread of contagions.

 

The Why: Why Segment Networks?

The rationale for segmentation is all about risk – protecting your nearest and dearest. If an “event” occurs, segmentation allows you to react and protect discrete services.

Consider the risks: threat actors moving laterally, contagions spreading, or even rogue compute nodes blasting packets and disrupting performance. It’s about ensuring continuity of CIFs and minimising the impact when things go wrong.

 

The How: Methods of Segmentation

Here are some approaches you could consider for segmentation or mitigation while you work on full segmentation:

  1. Physical Segmentation: Use physical barriers like cables, switches, and routers to separate network devices. This offers strong isolation.
  2. Logical Segmentation: Divide networks into logical units, such as VLANs. This provides moderate security but may be vulnerable to misconfigurations or attacks.
  3. Virtual Segmentation: Create virtual “ring-fences” on top of physical infrastructure. This method is flexible and scalable but can introduce performance and compatibility challenges.
  4. Software-Based Segmentation: Use on-host and on-net software-based policies and controls for granular management and dynamic adjustments.
  5. Access Management: Implement both Privileged Access Management (PAM) and Identity Access Management (IAM) to ensure only authorised users have access. PAM is particularly critical for controlling administrative privileges.
  6. Host-Based Segmentation: Leverage tools like endpoint detection and response (e.g., Microsoft EDR) to take hosts off-net when “bad behaviour” is detected – a great mitigating step!

While this sounds simple, the homework is extensive. It starts with identifying and mapping your CIFs, carving them up, and allowing appropriate traffic to flow without disrupting business operations.

 

DORA’s Proportionality Principle

Neither the regulator nor your company will thank you for hastily implementing segmentation at all costs and causing harm. DORA explicitly states a risk-based and proportional approach.

“Financial entities shall implement the rules laid down in Chapter II in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.”

This means segmentation (and other aspects of DORA) must be tailored to your organisation’s size, risk profile, and operational complexity.

 

It’s (Almost) a Wrap!

  • For those unfamiliar with The Hitchhiker’s Guide to the Galaxy (and the “DON’T PANIC” reference), check out the Wiki. It’s worth a read!
  • If your DORA compliance isn’t complete, ensure gaps are documented, risks are identified, and a comprehensive roadmap is in place. This demonstrates to regulators that you’re taking it seriously.
  • Network segmentation and DORA are complex topics. If you’d like assistance – from gap analysis to roadmaps, design, and implementation – reach out to us.

Stay tuned for our next installment, where we’ll dive into DORA Testing and discuss Backup & Recovery!

Have a great one!

 

Wrapping It Up

Do our bi-weekly insights prove valuable to you? Have you noticed trends or threads that you think our community should know about? Connect and share your insights with us on LinkedIn.

Get in touch to learn more