Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Steps to Implementing a Zero Trust Network

Steps to a Zero Trust Network – Planning for Network Security Part 2

Steps to a Zero Trust Network – Planning for Network Security Part 2

In my previous SecurityWeek column, I wrote about a variety of network security best practices that you should be planning for in 2014. One of the most fundamental is Zero Trust security segmentation.

Security segmentation has become more critical as organizations and architectures have evolved to becoming “flatter”. Technologies like cloud, ethernet switch fabrics and software defined networks make it easier to design expanded layer 2 networks which enables easier transport and delivery of applications of different trust levels. Segmentation in the past focused on compliance regulations such as HIPAA and PCI-DSS. Now, we have to consider the impact of globalization and interdependencies on global supply chains, multinational partners and global economic interactions and how to enable, yet segment them appropriately.

Zero Trust Security SegmentationZero Trust advocates for a segmented network, and security built into the architecture rather than an afterthought. It also advocates for some key principles built around the concept of “never trust, always verify” — inspect and log all traffic all the time, strictly enforce access control based on a need-to-know basis and ensure all resources are accessed in a secure manner.

The CTO of an information security organization in the Netherlands uses the analogy of the flood control systems in his country to describe Zero Trust segmentation. A combination of levees, dams and floodgates defend low-lying areas in the Netherlands against storm surges and floods from rivers like the Rhine and Meuse. Even if one levee is breached, the “breach” is contained to a specific area, a real-world representation of a Zero Trust network that can provide additional barriers against data exfiltration.

Complexity And The Wrong Technologies Are Barriers

So, what’s the problem? If segmentation helps improve your security posture, why aren’t organizations already segmenting their network? And if they are, why isn’t it working? There are several reasons. Organizations tend to fall into two categories – those who want to segment, but are worried about the complexities involved, and those who believe they are segmenting but are simply using the wrong technologies.

In the first example, organizations are challenged with a massive dilemma on where and how to start. There are also significant concerns about how to gain visibility without completely overhauling their network. After all, the business must continue to operate while security segmentation approaches are put into place.

In the second example, organizations are using technologies like VLANs and switch ACLs which provide some degree of network isolation but without critical features needed to enforce control to privileged information and not able to inspect traffic for threats.

True Zero Trust segmentation requires a security solution that not only provides visibility into applications, users and content, and can enforce on these attributes, but can also transparently integrate into the network without impacting routing and switching protocols. This means security appliances that can provide transparent, layer 1 integration to reduce compatibility issues and configuration risks with other adjacent network devices.

Steps To A Zero Trust Network

So, how do you start? The first is to start by identifying the data and applications that you want to protect, and map the transaction flows for these applications, including where, when and to what extent specific users are using them. Critical data and applications include anything related to payment card information and credit card application access, healthcare related information, and intellectual property. Armed with this information, IT teams can then deploy Zero Trust segmentation gateways in appropriate parts of the network with the right application, user and content policies to establish trust boundaries.

Organizations that already have a good understanding of their transaction flows can map out boundaries that are associated to high-risk users. For example, branch offices in “countries of interest”, guest access networks including wireless guest access, partner B2B extranet connections, and IT management systems.

As you evaluate your security strategy in 2014, consider Zero Trust as a means to substantially improve your defensive posture against modern cyber threats and more reliably prevent exfiltration of sensitive data.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...