In recent months, we’ve talked a lot about segmentation and microsegmentation (see list of some posts below) and why segmentation is necessary to prevent data and application compromise. In this post, we’ll explore how zero trust changes the segmentation strategy and recommend the best way to right-size your implementation of zero trust segmentation without the hassles of traditional/historical/familiar network segmentation, which has plagued the industry for years.
Zero trust has become a well-known methodology for protecting organizations’ data, applications, networks, users, and devices. Though there is little industry consensus on where to start with zero trust (the device? The user? The network? Applications?), most experts agree that the foundation of any zero trust project or program relies on accurate and up-to-date asset inventory, mapping, and understanding of data flows. Visibility and mapping should leverage continuous automation so that changes to the environment are captured immediately. Once you gain an understanding of what’s communicating on the network, how assets are communicating, and dependencies between them, it’s time to look at systems, infrastructure, and the environment around them. The key question is: what levels of controls are currently in use to enforce the protection of data and/or limit data loss?
Zero trust means that controls are configured to verify authentication and authorization attempts continuously. The best case is to require verification before any communication request is sent and prior to every receipt. Verification in a zero trust environment must be based on identity and context. “Identity” refers to a collection of cryptographic, immutable attributes of software and services. “Context” may be any number of attributes, such as user, geolocation, device posture, and the application and data, and connections are continually reassessed as any context changes.
In addition, zero trust is based on the principle of least privilege. This reduces the number of entities that can access sensitive data and helps hone security’s focus to a more manageable set of attack paths and potentially exploitable software and services.
Lastly, zero trust requires that policies are adaptive yet reliable in dynamic environments. The requirement is to control communications between what’s allowed on the network, but the need is to use something stronger than addresses, ports, and protocols. Address-based information changes in clouds and containers constantly and therefore results in more work when trying to map communications and enforce policies. Instability and ephemerality also mean an address-based security control plane is less dependable—it’s chasing after a moving target.
For the strongest security, organizations should seek other methods that are not environment-dependent. Abstracting the control plane away from the network reduces complexity and saves time (because policies don’t need to be altered constantly when the network does), and results in stronger, scalable security that is appropriate for today’s cloud- and container-based networking needs.
Said more succinctly, zero trust means bringing protection closer to the entities you’re trying to protect—data, servers, workloads. Taking an identity-based approach to ensure only verified, legitimate interactions that are expected are allowed to communicate provides greater control over your environment, whether that’s in the public cloud, in a container, on premises, or any combination of the aforementioned.
Once you have your zero trust framework in place, it’s time to build your segmentation policies. Security and network teams can’t properly design policy if they don’t know what to protect. Zero trust lays the groundwork through its requirements for visibility, data mapping, continuous verification of access controls, least privilege, and adaptability. As zero trust’s purpose is to challenge traditional trust assumptions, building a segmentation plan on zero trust ensures that you will not only eliminate the insecurity of flat networks and reduce the number of network attack paths malicious actors can exploit, but you will gain segmentation that is demonstrable for audit and testing purposes.
By moving away from the typical switch-and-router firewall model of segmentation/microsegmentation to application-level segmentation, you will gain fine-grained control over your most sensitive data—the data attackers are targeting for exploit—without the complexity of network changes, new deployments, configuration changes, and the like. Since your control plane is now your applications and services, visibility, mapping, and protection remain in place even when network changes occur. From a policy perspective, the work required to build and apply app-centric segmentation policies is drastically reduced. From an enforcement point of view, you can now also close the loop on provable outcomes for the protection of sensitive data; it’s your applications and services, themselves, upon which policy is created, adjusted, tracked, and administered.
At the end of the day, organizations' cybersecurity strategies aim to protect sensitive data and applications from a compromise that could lead to data breach. Eliminating flat networks through segmentation or microsegmentation is the best way to protect applications. Fortifying your segmentation plan with a zero trust foundation ensures that only verified assets can communicate on your networks. And implementing application-centric segmentation means that: