* Determine who can access what data. This boils down to business need: who needs to administer the routers or switches? Who needs access to the human resources or financial systems? How many folks should be able to remotely control the security cameras? Be ruthless. If there is no business need, there should be no access.
Organizations that operate entirely on a local or regional domestic level may even want to implement wholesale blocking of remote geographic regions at the IP layer. In general, adopt a default deny access posture for each VLAN. Your goal is to limit access to sensitive information to those who need it within the organization and to create roadblocks to stop or slow intruders, who may have broken through one layer of security, from doing further damage.
* Implement segmentation. In a large organization, network segmentation is a significant, long-term project, but each step along the way increases security. Start somewhere, perhaps with the network administrators or Windows servers. In that instance, you could set up VLANs called network-admins (for their workstations) and network-devices (for routers and switches).
Log all traffic between segments to determine what is normal and needed for effective functioning. Once you know what's necessary, start blocking access to the VLANs from everywhere else, with the ultimate goal of default deny. Make sure you have the controls to enforce segmentation and to monitor whether later requested changes to access may compromise the segmentation. Continue the process through each group of assets, personnel and data.
* Maintain. Network segmentation is not a "set and forget" undertaking. The network access policy, defined in firewalls, routers and related devices, changes constantly to cater to new business requirements. Ensuring that new changes do not violate your segmentation strategy requires a good degree of visibility and automation (this visibility is also useful to avoid outages or business disruption resulting from misconfiguration). The potential management overhead needed to maintain good segmentation is one of the reasons organizations shy away from it. But, proper segmentation is critical. A topology-aware network security solution that can automate the network segmentation process is vital.
Network segmentation is unquestionably an effective component in a defense in depth strategy. Organizations that implement it must be prepared to manage scores of firewalls, switches and routers, each with hundreds of rules, all of which will be affected by the network segmentation process and potentially by updates and changes, even after it is in place. A rigorous approach is essential, and a significant investment of time and staff is also required. But regardless, it's a much easier to equip your organization with a secure defense through proper network segmentation than to explain to shareholders and the media how hackers were able to access millions of records on your system.