Why Network Segmentation Projects Often Fail: Common Patterns and Pitfalls

Post Views: 5

Enterprise Network Segmentation Projects Fail Due to Predictable Patterns

A recent study of 400 US-based network security professionals found that network segmentation projects often fail due to a combination of general IT project management issues and segmentation-specific technical barriers.

According to the study, researchers identified four distinct patterns of failure, which they term “Perfect Storm,” “Diffuse Fraction,” “Operational Drag,” and “Scope and Visibility Trap.”

The Four Distinct Patterns of Failure:

“Perfect Storm”: A combination of general IT project management problems and segmentation-specific technical challenges, including unclear goals, weak leadership sponsorship, unrealistic timelines, and a complex environment that was difficult to segment.
“Diffuse Fraction”: Multiple factors contributing to the project’s failure, including goal clarity and sponsorship being somewhat better than in the “Perfect Storm” group, but still present.
“Operational Drag”: Leadership sponsorship and goal definition were adequate, but the ongoing operational burden of building and maintaining segmentation policies was a major challenge.
“Scope and Visibility Trap”: Inadequate asset visibility and a complex environment, making it difficult to segment effectively.

The study also found that the type of workload (bare metal, virtualized, containerized, or serverless) was not associated with any specific failure pattern. However, the approach used (Layer-2 or Layer-3, macro or micro segmentation) and the presence of a campus network in scope were associated with certain failure patterns.

When respondents were asked what single change they would make if they could repeat the project, approximately 70% proposed a general IT project management fix, while 30% suggested a segmentation-specific fix.

The researchers offer two possible explanations for this finding: firstly, that working within a poorly governed project leaves a lasting impression on practitioners, leading them to propose general project management fixes; secondly, that general project management failures are upstream causes that can lead to technical difficulties.

Mitigating Risks:

To mitigate these risks, the study recommends that teams invest in pre-project activities such as asset discovery and environmental scoping, particularly for campus networks and Layer-2 macro-segmentation approaches. Additionally, teams experiencing operational drag should focus on policy automation investments and discussing acceptable disruption risk.

Overall, the study highlights the importance of understanding the patterns of failure in network segmentation projects and taking proactive steps to address potential pitfalls. By doing so, organizations can improve their chances of successful segmentation and reduce the likelihood of costly rework and security breaches.