Steps to a Zero Trust Network – Planning for Network Security Part 2
In my previous SecurityWeek column, I wrote about a variety of network security best practices that you should be planning for in 2014. One of the most fundamental is Zero Trust security segmentation.
Security segmentation has become more critical as organizations and architectures have evolved to becoming “flatter”. Technologies like cloud, ethernet switch fabrics and software defined networks make it easier to design expanded layer 2 networks which enables easier transport and delivery of applications of different trust levels. Segmentation in the past focused on compliance regulations such as HIPAA and PCI-DSS. Now, we have to consider the impact of globalization and interdependencies on global supply chains, multinational partners and global economic interactions and how to enable, yet segment them appropriately.
Zero Trust advocates for a segmented network, and security built into the architecture rather than an afterthought. It also advocates for some key principles built around the concept of “never trust, always verify” — inspect and log all traffic all the time, strictly enforce access control based on a need-to-know basis and ensure all resources are accessed in a secure manner.
The CTO of an information security organization in the Netherlands uses the analogy of the flood control systems in his country to describe Zero Trust segmentation. A combination of levees, dams and floodgates defend low-lying areas in the Netherlands against storm surges and floods from rivers like the Rhine and Meuse. Even if one levee is breached, the “breach” is contained to a specific area, a real-world representation of a Zero Trust network that can provide additional barriers against data exfiltration.
Complexity And The Wrong Technologies Are Barriers
So, what’s the problem? If segmentation helps improve your security posture, why aren’t organizations already segmenting their network? And if they are, why isn’t it working? There are several reasons. Organizations tend to fall into two categories – those who want to segment, but are worried about the complexities involved, and those who believe they are segmenting but are simply using the wrong technologies.
In the first example, organizations are challenged with a massive dilemma on where and how to start. There are also significant concerns about how to gain visibility without completely overhauling their network. After all, the business must continue to operate while security segmentation approaches are put into place.
In the second example, organizations are using technologies like VLANs and switch ACLs which provide some degree of network isolation but without critical features needed to enforce control to privileged information and not able to inspect traffic for threats.
True Zero Trust segmentation requires a security solution that not only provides visibility into applications, users and content, and can enforce on these attributes, but can also transparently integrate into the network without impacting routing and switching protocols. This means security appliances that can provide transparent, layer 1 integration to reduce compatibility issues and configuration risks with other adjacent network devices.
Steps To A Zero Trust Network
So, how do you start? The first is to start by identifying the data and applications that you want to protect, and map the transaction flows for these applications, including where, when and to what extent specific users are using them. Critical data and applications include anything related to payment card information and credit card application access, healthcare related information, and intellectual property. Armed with this information, IT teams can then deploy Zero Trust segmentation gateways in appropriate parts of the network with the right application, user and content policies to establish trust boundaries.
Organizations that already have a good understanding of their transaction flows can map out boundaries that are associated to high-risk users. For example, branch offices in “countries of interest”, guest access networks including wireless guest access, partner B2B extranet connections, and IT management systems.
As you evaluate your security strategy in 2014, consider Zero Trust as a means to substantially improve your defensive posture against modern cyber threats and more reliably prevent exfiltration of sensitive data.