web analytics
Skip to content

This article was originally published as part of the USFN Newsletter, as a follow-up to our participation in their Digital Security webinar.

Mitigating Risk by Segmenting and Separating Data – Network Security Architecture Explained

With the latest generation of phishing and social engineering assisted by the newest AI technologies, information security is more important than ever for small businesses. According to the “Acronis Cyberthreats Report, H2 2023” AI-enhanced phishing attacks affected over 90% of organizations surveyed and resulted in a 222% increase in email attacks in 2023 when compared to the same time period in 2022.

This risk is especially great for any business dealing in PII, financial data, or legal – for the default servicing industry, this is the triple threat that makes security high-priority across the organization. One of the best strategies to ensure data security is data segregation.

The goal is to ensure only the individuals who are authorized to view certain data sets have access to them – and that while that access is secure, it remains easy and convenient for the team members who need the data to do their job.

It’s easiest to envision a complete data segregation strategy by visualizing the way a layered, segmented security protocol works on physical documents. The familiar layers of security are present for most hard copies of documents in the physical world.

  • a property gateway (potentially with a security guard) exists, verifying access to the property.
  • the building entrance uses a badge reader or biometric scan, and a secondary badge entrance would provide further segregated access to a particular wing.
  • within the wing, even fewer key cards would grant access to certain hallways or individual rooms.
  • a physical key is required to unlock a particular cabinet full of sensitive files.

In this example, there are up to six layers of security present between the “outside world” and the sensitive information, each of which limits access in steps. Could an outside unknown malicious actor get access to a document in the file cabinet (without the use of “Hollywood writers”)? The short answer is no – the only people that could do harm in this scenario are a very limited number of internal employees, restricted by the many layers of access and significantly narrowing down potential threats.

What if one of those layers is compromised, like the lock on the cabinet? Even with one or two less layers of security, the documents themselves are still secure from outside access. Risk probability decreases exponentially after each layer of security in place.

An equivalent layered segregation process is the best approach to ensure a secure environment for digital data. For example:

  • A VPN gateway functions as the property access, with as many as eight factors of verification in this “front line” defense: a username and password, with multi-factor authentication (MFA) tokens matching the PC/Device, IP Address/location, a one-time PIN from Authenticator, mobile device registration for authenticating devices, and FaceID on the authenticated device.
  • Firewall/security rules work as the building key card: after VPN connection is established, the VPN client with an Endpoint Security Profile can determine what access is allowed based on the user’s account and group membership, denying or granting specific IP/port access.
  • Application authentication represents key card access to specific rooms and hallways, and is separately managed in a similar way to the VPN (factors include Internal WebUIs, File Shares, RDP, SSH, and a different username/password requiring a new MFA)
  • Finally, the file cabinet lock is represented by specific application access – after authentication in the previous steps, what data is available to that authenticated user in the specific application? This is the final step to ensuring the right data is available readily to users who need it, and can also determine read/write permissions, modification availability, etc.

Final questions to consider around data segregation, from our in-house experts:

Q: How many layers does our company NEED?

A: One layer, even with MFA, is no longer enough. Companies should have AT MINIMUM two layers each with their own multi-factor authentication before classified/protected information can be reached.

Q: Which technologies are most important to secure?

A: Endpoint security for physical devices (laptops, phones, etc.) through which employees can access classified information is most important. Authentication and file transfers for Unified Messaging technologies (email, IM, phone, online conference, voicemail) is second most important. Web based interfaces, applications, and connections would be third on the list. These are the big three that absolutely NEED their own layers of security, including MFA.

Contact Us to Learn More!

Latest Posts

April 3, 2025

A New Era of Integration

A New Era of Integration This new year brings an exciting announcement: NetDirector and CaseAware by a360inc have
Seth WuertzBy Seth Wuertz
April 3, 2025

Pennymac Bankruptcy Events

Pennymac Bankruptcy Events & Document Uploads NetDirector has expanded our available Pennymac integrations! Our newest Pennymac integrations are
Seth WuertzBy Seth Wuertz
January 22, 2025

NetDirector Webinar – AI Redact and Pennymac Updates

NetDirector Webinar Series: A.I. Redact and Pennymac Updates Join your hosts, Nicole Ellis, Tom Archambault, and Gretchen Borer
Seth WuertzBy Seth Wuertz