At a theoretical level, implementing zero trust makes significant sense. Cybersecurity threats can come from anywhere—outside or inside the network, and even start in one place then move to another. Adopting a zero trust— “Never trust, always verify” —strategy can help you tamp down on application- and services-related vulnerabilities, thereby reducing friction for the rest of the organization. But despite its widespread use in cybersecurity circles, the term “zero trust” is not well understood—especially when it is applied to network segmentation or microsegmentation—and it’s up to security teams to explain why zero trust segmentation makes sense for the organization, especially if affected business unit leaders are wary of change.
Below, we’ve outlined the top business benefits of moving to a zero trust model for segmentation, which may alleviate fears of potential negative impacts (that is, if you’re on the fence but looking for a more thorough way to secure data, applications, users, and hosts) and be used to garner support from business colleagues.
One major blind spot many organizations have is knowing precisely what data they have, where it resides, and how it travels. After all, how can you secure it if you don’t know it exists? With the proliferation of mobile devices, IoT, and rapid and continuous deployment of new applications and services, IT and security teams are hard pressed to achieve 100 percent visibility (when using traditional address-based tools and techniques) on every data packet that traverses the network. With zero trust segmentation, however, any application or service that attempts to communicate is first identified, then assumed inherently untrustworthy, and automatically disallowed from communication unless its identity fingerprint is verified. In this way, security, IT, and networking teams can use zero trust to understand what’s already on the network and what’s trying to get there.
Further, because data flows are mapped in a zero trust-based approach to segmentation, security and operations teams gain better visibility into the distributed ecosystem and associated risks. And what business leader doesn’t like to hear about reduced risk?
Security practitioners’ biggest and longest-held fears of moving to and using the cloud are loss of visibility and lack of control. Despite the evolution in the security due diligence of cloud service providers (CSPs), workload security remains a shared responsibility between the CSP and the organization using the cloud. That said, there is only so much the organization can affect inside someone else’s cloud.
Zero trust segmentation, though, was tailor-made for any type of network—including public or hybrid clouds. Zero trust restricts communication by allowing only workloads verified by their identity fingerprint to communicate. Because zero trust segmentation is application workload centric (rather than perimeter or endpoint centric), security teams have greater control over the application workload itself. Any time a workload fails to meet attribute recognition, it is disallowed from communicating, which means attackers have a much harder time achieving east-west/lateral movement...the kind that’s so hard to detect in traditional network environments.
Pursuant to the points above, because zero trust segmentation is focused on the workload, it’s easier for security teams to identify and stop malicious data-based activity. A zero trust model continuously inspects workloads for deviations from the intended state and prevents those that are unverified from communicating anywhere on the system—to and from command-and-control, and between hosts, users, or applications (and any combination thereof). Any altered application or service, whether it’s a result of adversarial activity, misuse, or accident, is automatically untrusted until it can be verified again through a set of policies and controls (which may be automated or manual, depending on the tools in use). Additionally, even when verified and approved, communication is restricted to a “need-to-know” basis—in other words, access is locked down to only the users, hosts, or services that fundamentally require access.
This inherent distrust results in decreased breach potential and therefore decreased risk, not to mention lower costs for cleanup and mitigation (since there are fewer breaches to handle).
Every security pro knows that compliance ≠ security, yet that doesn’t eliminate the compliance burden. Auditors have the ear of executive teams, if for no other reasons than failed audits can lead to disruption and financial impact. Security teams, therefore, must play nicely in the audit sandbox.
Audits, for their part, aren’t meant to be the playground tattletale, but the reality is that IT audits, in particular, are focused on highlighting technology weaknesses. This means that any problems with data access or the systems that maintain them are subject to scrutiny. Anything security teams can do to shore up weaknesses before an audit occurs not only smooths the audit process but also ratchets up protection.
With zero trust segmentation in place, auditors (and others in the organization) achieve clearer insight into the data flows in the organization and can see how workloads are communicating—securely—throughout the network. Zero trust segmentation mitigates the number of places and ways network communications can be exploited, plus results in fewer negative audit findings and less remediation for the security team.
Today’s businesses strive to operate at lightning speed, and address- and port-based security controls can be contrary to those initiatives. Whenever a port is blocked or a host is shut down because of a possible intrusion, for instance, employees are unable to access data or services required to do their jobs. When a breach occurs, multiple disruptions accompany it. If the development team goes to deploy an app and security says, “No, stop. That’s insecure,” release is halted (and frustrations flare).
The ability to move continually forward and pivot on a dime is a highly coveted business goal, and zero trust segmentation allows that to happen because it works seamlessly in the background. Protection travels alongside the workload rather than at the security “checkpoint” (i.e., perimeter), meaning that any blocking or disallowed communication is isolated and interruptions to speed and agility are finite. With zero trust segmentation, security is not constrained by static network constructs that slow it down.
Software and applications dominate business, and the formation of DevOps paved the pathway for today’s rapid development. The advent of containers and other dynamic, distributed development and staging environments has allowed DevOps teams to work even more efficiently but has introduced increased numbers of vulnerabilities that are near-impossible for security teams to manage with traditional controls.
In the past, security either tried to nose its way into the DevOps process or bolted protections onto already-deployed software, neither of which worked well. The problem with both approaches is translating application “speak” into network “speak’; too much manual intervention is required and slows down what is meant to be an accelerated process.
Zero trust segmentation knocks out these issues by effectively enveloping applications in protection. As applications are deployed, they are assigned an identity fingerprint. Provided that fingerprint remains the same or matches that of an already-verified application, it is allowed to communicate freely. Changes or updates to the app don’t necessarily change the fingerprint—in the same way that a new outfit or visit to a new city doesn’t alter a person’s identity—which means that DevOps can conduct business as usual and not have to worry about security raining on their parade. In the sense that software and services create business opportunities, any approach security can adopt (such as zero trust) that tames tensions and aligns with business priorities—while introducing greater protection—is a win.
Datasheet (PDF): Zscaler Cloud Protection At-a-Glance