Architectural rule No. 1: Segregate everything


Become An Insider

Sign up now and get free access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content from the best tech brands on the Internet: CIO, CSO, Computerworld, InfoWorld, IT World and Network World Learn more.

In the face of breakneck growth, you absolutely must maintain appropriate segregation of enterprise data networks, storage networks, and more

Enterprise IT infrastructures now face such an explosion of applications, devices, and data that just running in place is hard enough. Nobody seems to have the time or resources to design new systems that actually improve operations. Nonetheless, there's one step you can take to make life easier and your infrastructure stronger as you deal with rampant growth: introduce logical separation wherever you can.

It doesn't really matter whether you're talking about segregating compute bandwidth, storage capacity, networking gear, or different types of data; the reasoning is the same. Maintaining solid performance, tight security, high efficiency, and easy manageability all require thoughtful partitioning of different types of services and data -- partitioning that's often extremely difficult or even impossible to do after the fact.

The process will vary greatly depending upon which technology you're working with. But one common thread should run through every level of your infrastructure: Keep it separated.

Segregating the network
As you read this, chances are you're sitting behind a combination of network security hardware: firewalls, IDS/IPS, content filters, and the like. If your organization operates Internet-accessible services such as Web and email servers, those systems probably also include one or more DMZs that isolate those vulnerable services from the fleshy underbelly of the internal corporate network. Almost any IT pro is familiar with this kind of security-oriented network segregation -- and anyone who operates without it does so at his or her peril.

But that's not where the network security story ends. Even in the smallest corporate networks, real benefits can be derived from heavily partitioning the internal network, at a minimum involving the use of VLANs and L3 routing if not full-blown internal firewalling. In years past, this kind of network segregation was generally used to increase performance by controlling broadcast traffic in very large networks. Today, with much larger and more diverse populations of network-attached devices -- from employee smartphones to facility HVACR systems -- it is increasingly important to treat the once-trusted internal network as an imminent threat that needs to be protected from itself.

Security isn't the only reason to shove these different types of devices into their own protected subnets. By liberally segregating these kinds of systems, servers, and desktops, you can get a much better picture of how your network resources are being used. Consequently, you'll be in a much better position to monitor, isolate, troubleshoot, and diagnose network problems when they occur.

These days, if I'm redesigning a network for a client, even a relatively small one, I'll almost always introduce a significant amount of network segregation into the design. Even if it doesn't include any actual access controls to start with, just having the ability to easily add them if the need arises is extremely useful. I've been in more than one situation where a zero day virus outbreak was contained because the network was heavily segmented -- which would've been impossible had the segmentation not already been in place.

No matter why you do it, you can virtually guarantee that your network will get bigger (even if your company doesn't), not smaller. And the bigger it is, the harder it is to implement such measures you may need down the line.

Segregating storage
It's no secret that corporate data is growing at an amazing clip. Effectively dealing with this kind of data growth requires more than huge piles of storage hardware. For example, one of the largest sources of unstructured data growth is often something as simple as poor organization. When users aren't encouraged to store data in ordered, manageable ways, it can become next to impossible to determine who owns what and whether or not it's still needed -- leading to a situation where everything that's stored must be retained (or, if you're brave, tossed). If you've been in IT for a while, you've no doubt seen at least one of these infamous "public" file shares.

By enforcing partitioning of data storage into logical divisions based on private user data, departmental data, and the like, you can always hold someone accountable for the data that's being generated and stand a much better chance of curtailing its growth. You also gain the ability to granularly monitor storage usage, divide these groups of over multiple storage systems, and enforce controls such as storage quotas if you like -- not possible if everyone's data is commingled or poorly organized. And as with network segregation, it is far, far easier to apply stringent data security and auditing rules when data is well segregated.

To continue reading, please begin the free registration process or sign in to your Insider account by entering your email address:
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies