Architectural rule No. 1: Segregate everything

Enterprise IT infrastructures now face such an explosion of applications, devices, and data that just running in place is hard enough. Nobody seems to have the time or resources to design new systems that actually improve operations. Nonetheless, there’s one step you can take to make life easier and your infrastructure stronger as you deal with rampant growth: introduce logical separation wherever you can.

It doesn’t really matter whether you’re talking about segregating compute bandwidth, storage capacity, networking gear, or different types of data; the reasoning is the same. Maintaining solid performance, tight security, high efficiency, and easy manageability all require thoughtful partitioning of different types of services and data — partitioning that’s often extremely difficult or even impossible to do after the fact.

The process will vary greatly depending upon which technology you’re working with. But one common thread should run through every level of your infrastructure: Keep it separated.

Segregating the network As you read this, chances are you’re sitting behind a combination of network security hardware: firewalls, IDS/IPS, content filters, and the like. If your organization operates Internet-accessible services such as Web and email servers, those systems probably also include one or more DMZs that isolate those vulnerable services from the fleshy underbelly of the internal corporate network. Almost any IT pro is familiar with this kind of security-oriented network segregation — and anyone who operates without it does so at his or her peril.

But that’s not where the network security story ends. Even in the smallest corporate networks, real benefits can be derived from heavily partitioning the internal network, at a minimum involving the use of VLANs and L3 routing if not full-blown internal firewalling. In years past, this kind of network segregation was generally used to increase performance by controlling broadcast traffic in very large networks. Today, with much larger and more diverse populations of network-attached devices — from employee smartphones to facility HVACR systems — it is increasingly important to treat the once-trusted internal network as an imminent threat that needs to be protected from itself.

The trouble is that very few enterprises opt to implement these kinds of internal security measures, despite the fact we live in a world where incredibly virulent, purpose-built worms seek and destroy industrial control systems. Yes, these kinds of threats are still fairly unusual, but you can bet they won’t be for very long.

Even if your company doesn’t have a shop floor full of nuclear centrifuges, you might have a network-attached HVAC or fire alarm system. You’re also fairly likely to have some networked UPSes, a VoIP phone system, or an IP-based storage infrastructure — and you almost definitely have more than your share of network printers. A ton of network devices that almost everyone has — and few think of as security risks — never seem to be protected to the same degree of, say, desktop computers. Don’t let these systems fly under the radar. Segregate them onto their own network segments, where access is limited solely to the systems that need to access them.

Security isn’t the only reason to shove these different types of devices into their own protected subnets. By liberally segregating these kinds of systems, servers, and desktops, you can get a much better picture of how your network resources are being used. Consequently, you’ll be in a much better position to monitor, isolate, troubleshoot, and diagnose network problems when they occur.

These days, if I’m redesigning a network for a client, even a relatively small one, I’ll almost always introduce a significant amount of network segregation into the design. Even if it doesn’t include any actual access controls to start with, just having the ability to easily add them if the need arises is extremely useful. I’ve been in more than one situation where a zero day virus outbreak was contained because the network was heavily segmented — which would’ve been impossible had the segmentation not already been in place.

No matter why you do it, you can virtually guarantee that your network will get bigger (even if your company doesn’t), not smaller. And the bigger it is, the harder it is to implement such measures you may need down the line.

Segregating storage It’s no secret that corporate data is growing at an amazing clip. Effectively dealing with this kind of data growth requires more than huge piles of storage hardware. For example, one of the largest sources of unstructured data growth is often something as simple as poor organization. When users aren’t encouraged to store data in ordered, manageable ways, it can become next to impossible to determine who owns what and whether or not it’s still needed — leading to a situation where everything that’s stored must be retained (or, if you’re brave, tossed). If you’ve been in IT for a while, you’ve no doubt seen at least one of these infamous “public” file shares.

By enforcing partitioning of data storage into logical divisions based on private user data, departmental data, and the like, you can always hold someone accountable for the data that’s being generated and stand a much better chance of curtailing its growth. You also gain the ability to granularly monitor storage usage, divide these groups of over multiple storage systems, and enforce controls such as storage quotas if you like — not possible if everyone’s data is commingled or poorly organized. And as with network segregation, it is far, far easier to apply stringent data security and auditing rules when data is well segregated.

These kinds of data segregation don’t just leave you better prepared to control data growth, they might also put you in a better position to implement cost-saving storage techniques such as tiering and deduplication. Both approaches are much more effective when you know a lot about the kind of data you’re dealing with and are able to manipulate them independently.

Segregate … everything Though enterprise networks and storage make great examples, the motivation for segregating these types of resources can apply to just about anything: servers, applications, backup methodologies — you name it. By resisting the urge to pile in new systems on top of existing ones without logically separating them, you can better ensure your ability to provide solid security, performance, and efficiency, even when you can’t tell what challenges the future will bring.

This article, “Architectural rule No. 1: Segregate everything,” originally appeared at InfoWorld.com. Read more of Matt Prigge’s Information Overload blog and follow the latest developments in storage at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.