Steps to a Zero Trust Network – Planning for Network Security Part 2
In my previous SecurityWeek column, I wrote about a variety of network security best practices that you should be planning for in 2014. One of the most fundamental is Zero Trust security segmentation.
Security segmentation has become more critical as organizations and architectures have evolved to becoming “flatter”. Technologies like cloud, ethernet switch fabrics and software defined networks make it easier to design expanded layer 2 networks which enables easier transport and delivery of applications of different trust levels. Segmentation in the past focused on compliance regulations such as HIPAA and PCI-DSS. Now, we have to consider the impact of globalization and interdependencies on global supply chains, multinational partners and global economic interactions and how to enable, yet segment them appropriately.
Zero Trust advocates for a segmented network, and security built into the architecture rather than an afterthought. It also advocates for some key principles built around the concept of “never trust, always verify” — inspect and log all traffic all the time, strictly enforce access control based on a need-to-know basis and ensure all resources are accessed in a secure manner.
The CTO of an information security organization in the Netherlands uses the analogy of the flood control systems in his country to describe Zero Trust segmentation. A combination of levees, dams and floodgates defend low-lying areas in the Netherlands against storm surges and floods from rivers like the Rhine and Meuse. Even if one levee is breached, the “breach” is contained to a specific area, a real-world representation of a Zero Trust network that can provide additional barriers against data exfiltration.
Complexity And The Wrong Technologies Are Barriers
So, what’s the problem? If segmentation helps improve your security posture, why aren’t organizations already segmenting their network? And if they are, why isn’t it working? There are several reasons. Organizations tend to fall into two categories – those who want to segment, but are worried about the complexities involved, and those who believe they are segmenting but are simply using the wrong technologies.
In the first example, organizations are challenged with a massive dilemma on where and how to start. There are also significant concerns about how to gain visibility without completely overhauling their network. After all, the business must continue to operate while security segmentation approaches are put into place.
In the second example, organizations are using technologies like VLANs and switch ACLs which provide some degree of network isolation but without critical features needed to enforce control to privileged information and not able to inspect traffic for threats.
True Zero Trust segmentation requires a security solution that not only provides visibility into applications, users and content, and can enforce on these attributes, but can also transparently integrate into the network without impacting routing and switching protocols. This means security appliances that can provide transparent, layer 1 integration to reduce compatibility issues and configuration risks with other adjacent network devices.
Steps To A Zero Trust Network
So, how do you start? The first is to start by identifying the data and applications that you want to protect, and map the transaction flows for these applications, including where, when and to what extent specific users are using them. Critical data and applications include anything related to payment card information and credit card application access, healthcare related information, and intellectual property. Armed with this information, IT teams can then deploy Zero Trust segmentation gateways in appropriate parts of the network with the right application, user and content policies to establish trust boundaries.
Organizations that already have a good understanding of their transaction flows can map out boundaries that are associated to high-risk users. For example, branch offices in “countries of interest”, guest access networks including wireless guest access, partner B2B extranet connections, and IT management systems.
As you evaluate your security strategy in 2014, consider Zero Trust as a means to substantially improve your defensive posture against modern cyber threats and more reliably prevent exfiltration of sensitive data.
Danelle Au manages data center and service provider solutions at Palo Alto Networks. She brings more than 10 years of product and technical marketing experience in the security and networking market. Prior to Palo Alto Networks, Danelle led the product management and strategy efforts at Cisco for the TrustSec network access control solution and ASA 5500 Adaptive Security Appliance platforms. She was also co-founder of a high-speed networking chipset startup. She is co-author of an IP Communications Book, “Cisco IP Communications Express: Operation, Implementation and Design Guide for the Small and Branch Office” and holds 2 U.S. Patents.Previous Columns by Danelle Au:Steps to Implementing a Zero Trust Network Planning for Network Security In 2014 The New Language Of A Highly Effective Cybersecurity LeaderGlobal Cybersecurity Collaboration: Challenges and Where We are TodayPractical Deployments of Security for SDN
Tags: INDUSTRY INSIGHTS