How separate do you want it?
If you're going to create one or many new, separate networks, another big question is how you'll provision and deprovision users, devices, and other resources.
With a single network, provisioning is typically tagged to an HR system. An employee is hired, and this kicks off a manual or automated process of adding the new employee's user account to the domain. If the process is automated, where should the "root system of trust" (the systems trusted with kicking off the provisioning and deprovisioning) reside?
For example, if you leave your root system of trust in the original -- possibly compromised -- network, can it be trusted to provision services into the new, highly secured network? The answer is a resounding no. You can trust systems of higher integrity and assurance to provide data to lower-integrity systems, but not the other way around.
In reality, most companies don't have a choice. Rather, they have two suboptimal choices: Either they allow an untrusted root system to help with provisioning the new network, knowing it might be compromised or lead to a new compromise -- or they end up with a new root system for every new network, which is costly and hard to maintain over time.
In fact, this decision needs to be made for every additional network. Will the new networks use one or more existing services from the existing network or only rely upon completely new services? Services that are necessary to run any network include provisioning, help desk, security, incident response, auditing, PKI, email, printing, and more.
When figuring out exactly which services from the old network are needed in the new network, most companies may consider adding new groups, but come to the realization that creating truly separate networks is harder than it seems. It's a light-bulb moment for all teams that have to discuss more secure networks.
Generally, companies end up creating a model where shared services are either left in the existing security domain or end up in a single new network shared across all other networks. They may also create a hybrid: Some networks with shared services, while other networks have none.
I've only seen a few companies that decided to duplicate services in each new network. All in all, these sorts of decisions aren't easy. In fact, it's among the toughest decisions IT can make in any company.
Whether to have one or more new network domains is up to each company, its culture, and its risk tolerance. There is no right answer. Pick what you think will work for your company and live with the positives and negatives. You can still change the design later on. In fact, write that into the first design's known outcome: "Needed changes will be determined by lessons learned from the first one."
If you ask me, rather than spending all that time creating ultrasecure networks, you'll find much more value in concentrating on how your company is compromised in the first place -- then aligning your defenses to best combat those exploits. That way, you can become a true security hero.
After all, creating a secure network is a ton of work -- and if it's truly secure, it will probably require duplication of effort. What not apply those efforts across the board to the existing network instead?
This story, "Should you create a separate, supersecure network?," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.