Enterprise security teams have long been looking for more effective solutions to protect their cloud and data center environments. Once secured solely by perimeter-based technologies, today’s network environments are decidedly past the point of relying on controls at the edges. Out of this need to protect internal communication and east-west traffic arose the adaptation of traditional controls. Firewalls were moved inside the network to create microperimeters. The idea was that one great big “fence” around the outside of the network wasn’t enough, but using the same tools and techniques, enterprise security practitioners could create smaller “secure zones” within the network. Doing so would effectively limit how far network traffic could travel before needing to pass a security “checkpoint.” The concept was simple. Implementation was not.
The idea of microsegmentation—firewall rule-based microperimeters—caught on with security practitioners in a big way. Any practitioner worth their salt knows that flat networks mean trouble. Actually microsegmenting data, however, often proves more troublesome than it’s worth. While there is something to be said for “limiting the blast radius” of an internal breach or malware, the cost and people hours required to properly microsegment a network in the traditional sense often don’t support the limited benefits.
Challenges with traditional microsegmentation
Translating app speak to network speak
One of the main problems with traditional microsegmentation projects is translating application speak (how applications function and communicate) into network speak (how networks send/receive data) so that security controls (based on network constructs) function. This is no small task; in today’s cloud and container environments, address-based information is unreliable as a security control since development teams can spin up or spin down an application or service in a matter of hours, changing the source data (e.g., IP address, port, or protocol) for the control decision
IP address spoofing
Furthermore, address spoofing is a relatively trivial task for even a moderately skilled script kiddie. Attackers can hide in approved network traffic and the security team would be none the wiser. Piggybacking on an approved IP addresses using approved protocols, attackers can move laterally across segments or subnets to their ultimate targets (generally data or applications) and remain undetected.
Application dependencies and policy compression
In today’s app-centric networks (whether on-premises or in the cloud), application dependencies are highly complex. Traditional microsegmentation requires security teams to understand access control lists, routing rules, and firewall rules. Changes to any one of these things could break functionality on a business-critical application and cause a major disruption that the security team now has to defend. As a result, to facilitate microsegmentation, many security organizations end up building thousands of policies, but doing so renders management of these policies unwieldy. To reduce the number of policies, security teams need to remove the fine-grained controls that make proper segmentation worthwhile.
A new kind of microsegmentation
Whatever microsegmentation is or isn’t, preventing lateral movement and malware propagation on the network is critical to protecting organizations from cyber criminals. Security teams need manageable ways to create secure zones within their networks, gain visibility into data flows, and place fine-grained controls around data-rich applications and workflows. And they need a way to do it that delivers a return on their investment (ROI) from both a time and cost standpoint. Even if traditional microsegmentation were the most effective security control in the security professional’s toolbox (it’s not), the barriers to entry are just too high for anyone but the largest, best-resourced organizations.
What is zero trust microsegmentation?
Zero trust microsegmentation is a method of applying application-level security controls that enforce the strictest least-privileged authentication and authorization for applications and services communicating in the hybrid cloud.
How is this different from traditional, network microsegmentation?
Microsegmentation typically refers to segmentation based on network constructs — IP addresses, ports, and protocols. In other words, security controls are based on the environment as opposed to the applications or services attackers are trying to exploit. With Zscaler, security is abstracted away from the network environment. It doesn’t matter where your apps and services are running because the environment isn’t the issue. The data is.
What are identity attributes?
To alleviate the problem of compromised apps and services and malware propagation, Zscaler creates security policies that are tied to the cryptographic identity of the apps and services communicating on your networks. With Zscaler, the cryptographic identity (“fingerprint”) comprises 30 attributes, such as the SHA256 hash, UUID of the BIOS, file name, file path, product name, and version number, etc. The data source for the fingerprint is what the software is rather than where it’s coming from or going to. This fingerprint results in policies that travel with the workload and won’t break if the environment changes. Software-based identity is the key to ensuring your workloads are malware resistant.
Another factor in the efficacy of Zscaler zero trust microsegmentation is our unique value proposition: A system of symmetrical validation of communications. No application, service, or host is allowed to send or receive communication unless it is positively verified by its fingerprint — every time it tries to communicate, and on both ends of the connection. Collectively, Zscaler’s software-defined application-level control coupled with least-privileged access and required symmetrical verification means that communications in your data center or cloud are fully protected against lateral movement and malware propagation.
Simplification at its best
As stated, above, traditional microsegmentation is highly complex and unwieldy. Zero trust microsegmentation with Zscaler is simple; all policy recommendations are automatically generated based on the identity of your communicating software and can be applied (or removed) in one click. Users do not need to understand network traffic flows, and subnets do not need to be manually created. The fingerprints of your applications determine permissions, not network constructs. Finally, all application paths are mapped and exposed automatically, which means that you always have full view into your application topology and can easily report point-in-time risk. It doesn’t get much simpler than that.
Datasheet: One-Click Zero Trust for Automated Microsegmentation (PDF)