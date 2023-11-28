getty

As more and more business processes are becoming digital, it is essential to maintain productivity and service by having a robust network capable of handling the increasing volume of daily traffic. Additionally, cyber attackers never stand still, and every organization is a potential target.

Now more than ever, technology leaders and their teams must know how to design a network architecture that can provide reliable service and defend against unauthorized access. Below, 17 members of the Forbes Technology Council share and explain some of the key strategies for building and maintaining a secure, efficient network — essential information in today’s digital workplace.

1. Inventory and Diagram All Network Assets

Technologists rarely have greenfield access when designing networks. Instead, they are presented with existing infrastructure that must be modernized. Start by developing an updated inventory of all network assets, as well as a mapping diagram that outlines both the current and desired future state of the network. Once this is created, backup all existing configurations before making any changes. -Jason James, Aptos

2. Seek input from decision makers

A secure and efficient network architecture requires input from business decision makers, including what needs to be accomplished and what resources are essential in a given segment. Once objectives have been established throughout the organization, network segmentation should be software-defined. Implementing the entire architecture with hardware and proxies is very expensive and complex to scale. – Sameer Malhotra, Trufort, Inc.

3. Enforce least privileges

Applying the principle of least privilege is important to design a secure and efficient network architecture. This includes limiting access rights of users and systems to the minimum level necessary to perform their functions, minimizing the potential impact of security breaches, and reducing unauthorized access to network segments. – Mohit Gupta, Damco Solutions

4. Adopt a zero-trust model

Adopt a zero-trust model when designing secure network architectures. This means verifying every user and device, regardless of location, before granting access to a network segment. Segmentation with strict access controls based on need-to-know standards ensures tight security and efficient traffic management, minimizing risk and optimizing performance. – Ronald Griffin, Saw

5. Follow ‘defense in depth’ principles

A key principle is known as “defense in depth”. This means not relying on any one technology, policy, or procedure to protect any part of the network. Using this approach, you assume that one of the individual layers protecting part of the network – firewall, password or IP whitelist – may be compromised. Then, you design security measures that combine multiple unrelated approaches to mitigate threats. – Adam Sandman, Inflectra Corporation

6. Fragment the network

A key principle of designing a secure, efficient network architecture is to implement strong network segmentation. It divides the network into separate areas, each with unique access controls, which reduces the attack surface and prevents potential breaches. – Shamaila Mahmood, Indus Valley Labs (Pvt) Ltd.

7. Incorporate BFT principles

Incorporate Byzantine fault tolerance principles into your network design. BFT is about ensuring the reliability and security of the system in the presence of faulty or malicious components. For example, if you introduce redundancy and divide the network into separate nodes, each with independent verification mechanisms, the network can withstand compromise or failure events and isolate. – Irfan Rostami, Voltai

8. Encrypt data automatically

Bring cryptographic protection as close as possible to sensitive data and content, no matter what container it is in. This can be accomplished by automatically encrypting all sensitive data, content and documents and digitally assigning them to the appropriate groups, roles and/or individuals. The creation or ingestion of such material and continuing throughout its life cycle. – Karim Aldefrawy, Confidential.io

9. Create a VLAN

Creating a Virtual Local Area Network is a best practice for designing a secure and efficient network infrastructure. For example, security cameras, VoIP handsets, test environments, public conference rooms, and Wi-Fi should all be separated on VLANs. When done correctly, it allows you to isolate and troubleshoot malicious attempts and attacks on specific internal networks. -William Charles Lee, GQIT

10. Limit the impact of human error

Software is insecure and humans make mistakes, so individual system and user compromises are inevitable. The aim of secure network design should be to engineer things so that the impact of malware and human mistakes is limited in time and space. Think: If node X is compromised, how should node Y and your network elements be configured so that the attack does not spread? -Gaurav Banga, Balbix

11. Set up a guest network

Create a guest network that is separate from your main network. Any device that is not company-owned (if, for example, you have a bring your own device policy) can only connect to the guest network. You do not have control over the websites accessed by your company-owned devices or the content on them, and you never know what threats exist on such devices. Having a guest network will isolate any threats from BYOD policies. -Sarah Goffman, TCE Communications, Inc.

12. Try to split traffic

Network designers need to understand the expected traffic flow, its business purpose, and threats. They must design networks to isolate traffic, allowing monitoring and control points to identify and manage abnormal flows. Despite techniques such as microsegmentation and blurring of intrusion detection separation lines, maintaining control points remains a key principle in secure network design. -Mia Millet, Skyline Technology Solutions

13. Shorten the ‘hops’

It is important to reduce the number of “hops” required to pick up a data packet, as each hop introduces additional potential for data loss. Along with defensive approaches, such as external key management, and proactive approaches, such as crypto agility, the best way to prevent risk is to deploy multiple security layers that prevent an attacker from accessing and extracting critical data as it does your Roams in the network. – Todd Moore, Thales Group

14. Understand the behavior of connected assets

You need to understand the behavior of your connected assets and the context in which they operate. Who are they connecting with and when? What are the communications required for the required functionality? Automation and artificial intelligence can help establish a baseline of device activity, which is important for defining segmentation policies that allow only approved communications and block everything else. -Jim Hyman, Ord.

15. Separate production and non-production networks

One of the most important design principles for proper network separation is to completely separate production networks from non-production (i.e., office) networks. This is an important defense in preventing ransomware attacks from spreading from non-production networks, where these types of attacks are typically targeted (via email) to critical production networks. – Mark Schlesinger, Broadridge Financial Solutions

16. Take a multi-step approach to firewall setup

Design a firewall rule and enforce it with logging only (no blocking). Adjust this as needed before going into full blocking. Make sure you take into account unusual processes running at the end of the month, quarter or year that you may not catch during normal parts of the work week. -Tim Medin, Red Seas

17. Isolate individual IIoT processes

In manufacturing environments, I recommend hosting production processes and their associated Industrial Internet of Things devices on obscure networks that are tightly hidden and hermetically sealed. Be sure to isolate each process and its associated IIoT device on separate networks. When access is needed to processes or their IIoT devices, deploy a secure, single point-of-entry platform such as IXON’s Cloud Platform. – Robert Martin, Oil City Iron Works, Inc.