Understand CIA Triad
Network Segmentation in Shared Office Environments
In modern business centers, multiple companies often share the same physical network infrastructure. While this setup can be cost-effective, it introduces serious security and operational risks. Network segmentation provides a crucial line of defense—allowing each tenant to maintain their own secure digital boundary, even when the physical network is shared.
This article explores the importance of network segmentation from both a technical and business perspective, outlines best practices, and provides implementation examples that can be adapted for real-world deployment.
Scenario: Shared Office Building with Multiple Companies
Imagine an office building hosting three companies:
- Company A — Financial services (handles sensitive client data)
- Company B — Marketing agency (runs campaigns with large media files)
- Company C — Software startup (uses cloud-based development tools)
All three share:
- The same physical LAN (wired/wireless infrastructure)
- The same Internet uplink
- Possibly the same IT management contractor
Without proper network segmentation, Company C's developer could accidentally (or maliciously) access resources belonging to Company A—potentially exposing client data and violating ISO 27001, GDPR, or other compliance requirements.
Business Impact of Poor Segmentation
| Department | Impact Without Segmentation | Benefit With Segmentation |
|---|---|---|
| IT/Security | Risk of unauthorized access and data breaches | Clear isolation, easier incident containment |
| Finance | Non-compliance fines, legal exposure | Controlled access supports regulatory compliance |
| Operations | Network congestion due to overlapping traffic | Prioritized and optimized bandwidth usage |
| HR/Management | Reputation loss from breach | Enhanced trust and client confidence |
| Business Development | Difficulty onboarding new tenants securely | Plug-and-play security per tenant |
Vertical structure impact:
A well-segmented network empowers each department—from IT to business development—to operate independently without risk propagation across organizational layers.
Best Practices for Network Segmentation in Shared Environments
1. Use VLANs (Virtual Local Area Networks)
Each company (or department) should be assigned its own VLAN ID, ensuring logical separation at Layer 2.
Example configuration (Cisco IOS):
# Create VLANs for each company
vlan 10
name Company_A
vlan 20
name Company_B
vlan 30
name Company_C
# Assign VLANs to interfaces
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 202. Apply Layer 3 Routing Rules and Access Control Lists (ACLs)
Control inter-VLAN communication using ACLs—allowing shared access only where business logic requires.
Example:
# Deny inter-company traffic by default
ip access-list extended BLOCK_INTERCOMPANY
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip any anyApply this ACL to the interface handling inter-VLAN routing:
interface GigabitEthernet0/0
ip access-group BLOCK_INTERCOMPANY in3. Deploy Separate DHCP Scopes per VLAN
This ensures each company has independent IP addressing, preventing accidental overlap.
Example (pfSense configuration):
VLAN 10: 192.168.10.0/24 → DHCP range 192.168.10.50-192.168.10.200
VLAN 20: 192.168.20.0/24 → DHCP range 192.168.20.50-192.168.20.200
VLAN 30: 192.168.30.0/24 → DHCP range 192.168.30.50-192.168.30.2004. Use Firewall Zones for Tenant Isolation
Firewalls (physical or virtual) can implement zone-based policies. Each company's VLAN should map to a unique zone.
Example (UFW on Ubuntu):
sudo ufw allow in on vlan10 from 192.168.10.0/24
sudo ufw deny in on vlan10 from 192.168.20.0/24
sudo ufw deny in on vlan10 from 192.168.30.0/245. Monitor and Log Separately
Each company's network traffic should be logged and monitored separately to ensure visibility and accountability.
Use tools like:
- Elastic Stack (ELK) — centralized logging
- ntopng — network visibility
- Wireshark — packet-level inspection
6. Implement Zero Trust for Shared Services
When companies share printers, file servers, or Wi-Fi:
- Enforce identity-based access (e.g., RADIUS + 802.1X)
- Use network micro-segmentation for sensitive assets
- Leverage VPNs or SD-WANs for remote/branch security
Example: VLAN Segmentation with MikroTik RouterOS
Here's how to achieve the same result on a MikroTik device:
/interface vlan
add name=vlan10 vlan-id=10 interface=ether1
add name=vlan20 vlan-id=20 interface=ether1
add name=vlan30 vlan-id=30 interface=ether1
/ip address
add address=192.168.10.1/24 interface=vlan10
add address=192.168.20.1/24 interface=vlan20
add address=192.168.30.1/24 interface=vlan30
/ip firewall filter
add chain=forward action=drop src-address=192.168.10.0/24 dst-address=192.168.20.0/24
add chain=forward action=drop src-address=192.168.10.0/24 dst-address=192.168.30.0/24
add chain=forward action=drop src-address=192.168.20.0/24 dst-address=192.168.30.0/24Business Advantages
From a business perspective, segmentation provides measurable benefits:
- Data Security & Compliance: Prevents lateral movement and supports standards like ISO 27001.
- Operational Independence: Tenants can manage their own devices without affecting others.
- Scalability: New tenants can be added quickly by provisioning new VLANs and firewall rules.
- Cost Efficiency: Shared infrastructure remains viable without sacrificing security.
- Brand Trust: Clients and partners perceive a higher level of professionalism and control.
Implementation Steps Summary
- Identify tenant requirements (number of users, devices, shared services).
- Design VLAN and IP schema per company.
- Implement routing and ACL policies.
- Deploy per-VLAN DHCP and DNS configuration.
- Apply firewall zoning and monitoring.
- Validate segmentation with penetration testing.
- Document network design and access policies.
When the Network Is Managed by a Third-Party Provider
In many shared office environments, the network infrastructure is managed by an external IT or Internet service provider. In this case, businesses and property management must establish clear contractual and operational boundaries to ensure security and compliance. The provider should deliver segmented VLANs or VPNs for each tenant, with strict access control and monitoring responsibilities defined in the Service Level Agreement (SLA). Property management should require periodic security audits, penetration testing, and configuration transparency reports from the provider to confirm that isolation and data protection measures remain effective. Businesses, in turn, should request per-tenant firewalls, separate authentication realms, and visibility into network logs related to their own traffic. By maintaining governance through policies and regular verification rather than direct control, both the property management and tenants can ensure that outsourced network management does not compromise their security posture or regulatory obligations.
Conclusion
Network segmentation is not just a technical requirement—it's a strategic enabler for businesses sharing infrastructure. It ensures each company retains autonomy, compliance, and protection while benefiting from shared resources. When properly implemented, it builds a secure foundation for trust, scalability, and collaboration across all organizational verticals.
