Adaptive Segmentationmicro-segmentation May 16, 2019

Paying the Inaction Tax: Building a Case for Compliance with Segmentation

Katey Wood,

We’ve talked about how to prepare your organization to start ringfencing crown jewel applications – the people and process legs of the stool to address critical risks in securing your applications.

But why is segmentation important in the first place? If there is no specific compliance obligation, vulnerability issue, or failed PEN test, why should your business spend money on controls to ringfence its applications against the spread of breach? What exactly is the inaction tax for an organization with "status quo security"?

Regulations and fines are not just for banks and credit cards

We used to say in security that there were two types of organizations: those that had been breached and those that hadn’t realized or admitted it yet. The same is now often true of compliance: either you’ve woken up to your obligations or you’re likely in denial. Regulators are demanding greater accountability from corporations to secure data critical to consumer privacy, industry operations, and national security.

For example, anyone storing personally identifiable information (PII) of customers or employees (among other data protection mandates) is likely subject to regulations governing the compliance obligation to secure them. The table below lists several more – many with specific recommendations on segmenting your high-value assets.

recent-regulations_table copy

Lower cost of breach by limiting YOUR blast radius

Having a breach-ready posture has both hard and soft cost benefits. Segmenting applications behind your firewall prevents the spread of breaches from low-value assets to high-value assets – which is why many organizations ringfence their crown jewel applications, regardless of a compliance mandate. You can’t put a price on priceless when you can limit your blast radius and spare your most valuable assets.

But beyond using segmentation as good architectural hygiene to avert disaster, preparation will help avoid hard costs if your organization is breached. For the fourth year, Ponemon Institute found a correlation between the time to identify and contain a breach and the financial consequences. Namely, companies that contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days to resolve. Note that the mean time to contain from Ponemon’s sample was 69 days – on top of 197-day mean time to identify. 

If you’ve limited your blast radius with segmentation, containing the breach becomes irrelevant as your high-value assets are secure. Ringfencing your crown jewel applications with segmentation shifts the emphasis from reactively containing a breach to proactively securing your assets – an inside-out view of security aligned with Zero Trust and security principles of least privilege.

Status quo security OPS are unsustainable in the long run

Using security through the network is unmanageable. It creates lots of room for error. There is a lack of visibility as IT moves to the cloud. The unknown unknowns will eventually call for a full forklift upgrade, often with the high profile and deadline urgency that comes from visible cracks in the façade reaching the attention of a regulator or authority.

Once the need for segmentation becomes a foregone conclusion, you can try to adapt your network to the needs of your security, often by entering into a Faustian bargain with vendors with whom you already have a sizable investment, either in network switches and routers or hypervisors with software-defined networking options.

  • Will you be re-architecting your network with firewalls at great manual effort and an unreasonable ongoing maintenance burden?
  • Or will you be attempting to secure at the hypervisor – an exercise that will favor your vendor’s brand of hypervisor and limit control in the cloud and outside your network?

Not only will these approaches fail to deliver on all your requirements, they will not be cheap to deploy, in man-hours or hard dollar costs. A comparative TCO for an environment of 500 servers is detailed below.


The alternative is to decouple security from the network entirely. Using host-based segmentation, you can:

  • Establish a rational operational model for gaining visibility into your applications.
  • Secure and enforce segmentation policies at the host, down to the process level.
  • Leverage whitelisting for Zero Trust confidence in enforcing access permissions.
  • Streamline operations with greater visibility, often down to less than a FTE.

Interested in learning more? Check out our paper on Paying the Inaction Tax or examine the potential costs in your own environment with our online TCO calculator.

Adaptive Segmentationmicro-segmentation
Share this post: