Security Experts:

Steps to Implementing a Zero Trust Network

Steps to a Zero Trust Network - Planning for Network Security Part 2

In my previous SecurityWeek column, I wrote about a variety of network security best practices that you should be planning for in 2014. One of the most fundamental is Zero Trust security segmentation.

Security segmentation has become more critical as organizations and architectures have evolved to becoming “flatter”. Technologies like cloud, ethernet switch fabrics and software defined networks make it easier to design expanded layer 2 networks which enables easier transport and delivery of applications of different trust levels. Segmentation in the past focused on compliance regulations such as HIPAA and PCI-DSS. Now, we have to consider the impact of globalization and interdependencies on global supply chains, multinational partners and global economic interactions and how to enable, yet segment them appropriately.

Zero Trust Security SegmentationZero Trust advocates for a segmented network, and security built into the architecture rather than an afterthought. It also advocates for some key principles built around the concept of “never trust, always verify” --- inspect and log all traffic all the time, strictly enforce access control based on a need-to-know basis and ensure all resources are accessed in a secure manner.

The CTO of an information security organization in the Netherlands uses the analogy of the flood control systems in his country to describe Zero Trust segmentation. A combination of levees, dams and floodgates defend low-lying areas in the Netherlands against storm surges and floods from rivers like the Rhine and Meuse. Even if one levee is breached, the “breach” is contained to a specific area, a real-world representation of a Zero Trust network that can provide additional barriers against data exfiltration.

Complexity And The Wrong Technologies Are Barriers

So, what’s the problem? If segmentation helps improve your security posture, why aren’t organizations already segmenting their network? And if they are, why isn’t it working? There are several reasons. Organizations tend to fall into two categories – those who want to segment, but are worried about the complexities involved, and those who believe they are segmenting but are simply using the wrong technologies.

In the first example, organizations are challenged with a massive dilemma on where and how to start. There are also significant concerns about how to gain visibility without completely overhauling their network. After all, the business must continue to operate while security segmentation approaches are put into place.

In the second example, organizations are using technologies like VLANs and switch ACLs which provide some degree of network isolation but without critical features needed to enforce control to privileged information and not able to inspect traffic for threats.

True Zero Trust segmentation requires a security solution that not only provides visibility into applications, users and content, and can enforce on these attributes, but can also transparently integrate into the network without impacting routing and switching protocols. This means security appliances that can provide transparent, layer 1 integration to reduce compatibility issues and configuration risks with other adjacent network devices.

Steps To A Zero Trust Network

So, how do you start? The first is to start by identifying the data and applications that you want to protect, and map the transaction flows for these applications, including where, when and to what extent specific users are using them. Critical data and applications include anything related to payment card information and credit card application access, healthcare related information, and intellectual property. Armed with this information, IT teams can then deploy Zero Trust segmentation gateways in appropriate parts of the network with the right application, user and content policies to establish trust boundaries.

Organizations that already have a good understanding of their transaction flows can map out boundaries that are associated to high-risk users. For example, branch offices in “countries of interest”, guest access networks including wireless guest access, partner B2B extranet connections, and IT management systems.

As you evaluate your security strategy in 2014, consider Zero Trust as a means to substantially improve your defensive posture against modern cyber threats and more reliably prevent exfiltration of sensitive data.

view counter
Danelle is VP of Strategy and Marketing at SafeBreach. She has more than 15 years of experience bringing new technologies to market. Prior to SafeBreach, Danelle led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also responsible for security solutions at Palo Alto Networks, driving growth in critical IT initiatives like virtualization, network segmentation and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. Patents. You can follow her at @DanelleAu.