Zero Trust Networks: Guide to Implementing Trusted Architecture in Remote Work Era

Predictably, now is the time to get cybersecurity right. COVID-19 has taught security leaders and IT decision-makers that traditional perimeter security is not enough to defend against attacks and breaches. Worryingly, a ForcePoint reportOpens a new window reveals that attackers have a +90% success rate. In these turbulent times, the zero trust security model has become the long overdue conversation CIOs and CISOs have been avoiding. Traditional network security has several gaps — there are multiple entry points, insider threats are not factored in and cloud makes network security harder with API-driven changes, HashiCorp CTO Armon Dadgar Opens a new window posits.

A recent Tempered Networks study Network Security Revolution, based on a survey of 100 cybersecurity professionals at RSA Conference 2020 revealed 32% of IT pros believe achieving ‘defense in depth’ requires five or more network security components. RSA 2020 pegged zero trust as the biggest buzzword in security since blockchain. In addition, there’s significant vendor hype too about Zero Trust Network Access (ZTNA).

Leading cybersecurity veteran and former F5 CEO Jeff Hussey notedOpens a new window long-term security trends include Zero Trust, and it’s a phrase that shouldn’t be taken lightly by IT teams. ZTNA and micro-segmentation is trending over Software-Defined Networking as a topic because of COVID-19, and we don’t think that will change or slow down anytime soon, he adds. Hussey’s company promises a solution that can deliver true Zero Trust Network Access (ZTNA) at scale giving IT buyers defense-in-depth without expense-in-depth.

The 2020 Zero Trust ProgressOpens a new window report predicts 72% of organizations will implement or plan to implement Zero Trust capabilities in 2020 to mitigate growing cyber risk. Key drivers for the shift to zero trust include a) data protection, b) breach prevention, c) expanding IOT universe, d) evolving compliance landscape and e) insider threat reduction. Gartner’s much-touted Market Guide for Zero Trust Network AccessOpens a new window indicates by 2022, 80% of new digital business applications will be accessed via ZTNA, indicating a significant uptake of identity based access controls solutions.

Learn More: NetFoundry on Why Zero Trust Networking Is a Business ImperativeOpens a new window

In this article, we look at:

• What Is Zero Trust Model
• 4 Pillars of Zero Trust Framework
• Components of Zero Trust Framework
• How to Implement Zero Trust Network Architecture
• Wrapping Up

What Is Zero Trust Model

Zero Trust is not a technology, but a shift in approach to cybersecurity. Zero Trust model was architected by John Kindervag, Principal Analyst at Forrester Research, who coined the term “Zero Trust” network architecture in 2010. Kindervag based the architecture on the premise that the trust model (based on underlying information security) itself is broken. “We needed a new model that allows us to build security into the DNA of the network itself,” he posited. Essentially, in the zero trust model, all traffic is deemed hostile.

Kindervag laid down 5 concepts to make zero trust architecture actionable:

• All resources must be accessed in a secure manner
• Access control is on a need to know basis
• Don’t trust people, verify what they are doing
• Inspect all log traffic coming in on network for malicious activity
• Design networks from inside out

And then came the famed BeyondCorp, a cybersecurity architectureOpens a new window developed by GoogleOpens a new window in 2014 that forced organizations to rethink traditional perimeter defense and factor in the disparate environments, such as SaaS applications, cloud services and the growing number of devices brought within the perimeter. BeyondCorp’s approach shifted access control from perimeter-based framework to individual devices and users.

Similar to Kindervag, security veteran Hussey sharesOpens a new window micro-segmentation, often called a “zero-trust modelOpens a new window ” of virtualized security, means that only necessary actions and connections are specifically enabled in a workload or application and everything else is blocked. It reduces the network attack surface by limiting east-west communication through the application of very granular security controls. This creates a Software-Defined Perimeter (SDP), regardless of whether it involves a virtual machine (VM), container, or function, which is not possible using traditional network segmentation techniques.

Learn More: Achieve a Zero Trust Network with a Software Defined PerimeterOpens a new window

4 Pillars of Zero Trust Framework

Data Visibility and Device Inventory: Reduce the attack surface of the environment by identifying the flow of data and do an inventory of devices, applications, and other software and hardware assets that access enterprise IT systems. Device inventory is important as it can help security teams track the device as it moves through its lifecycle.

Microsegmentation: Isolate applications and devices closer to the workload and set up micro perimeters using SDPs or other security tools such as NGFWs,Opens a new window containers, native APIs of cloud fabric, etc. Microsegmentation is an essential part of zero trust networks and it entails moving the perimeter to workloads. For example, Palo Alto Networks Opens a new window uses physical and virtual next-gen firewalls to control application traffic while Cisco’s ACI uses switches to implement policies between groups of endpoints and applications within the endpoints.

Least–Privilege Access: Zero Trust model hinges on securing identity by extending authentication and authorization for each session, different users, and admins and contractors that get unique policies, defined and enforced from the cloud. Significant gains have been seen on this end with usage of authenticator apps (Okta/Google) deepening enterprise-wide. This trend will also help in eliminating user password surface area and pave the way for passwordless authenticationOpens a new window .

Monitoring: Machine LearningOpens a new window can be deployed to continuously monitor risk and trust and feed these metrics in a risk engine.

Components of Zero Trust Framework

Despite the buzz, industry experts argue there’s no one end-to-end, comprehensive Zero Trust Network solution though vendors such as Google (BeyondCorp), Cisco, and Akamai and Palo Alto have made great strides in building Zero Trust based solutions.

So, what are the elements of pursuing Zero Trust Network. Organizations have traditionally drawn on technologies like Identity and Access Management, Encryption, Multi-factor authentication, and next-gen firewalls as essential components for a long-term zero trust strategy. Rather than replacing existing solutions, Zero Trust strategy can augment and compliment other cybersecurity tools.

Morten BrøggerOpens a new window , CEO of Wire, security-first collaboration company reveals Opens a new window that some critics argue that this transformation requires an entire rip and replace of the security network, while others believe small steps can be taken to deploy tools on top of the existing infrastructure.

“Whatever approach an organization takes, it should first develop its goals and roadmap to protect its mission-critical data. It’s important to comprehensively evaluate the user experience, by understanding who its users are, what apps and systems they are using, and what kinds of access they need. Given that employees are increasingly working across disparate and distributed teams, it’s also critical to ensure that access can be provided in both a controlled and compliant manner,” he noted.

Learn More: Role of DevOps and Automation in the Software-Defined NetworkOpens a new window

How to Implement Zero Trust Network Architecture

In the current environment, zero-trust SDP will become a compelling paradigm for enabling secure remote access. “Organizations need to standardize remote access security for all users to reduce the risk of potential attacks,” writes Micha RaveOpens a new window , Senior Director of Zero Trust Product Management at Proofpoint. Meanwhile, Chris Carter, CEO of ApproyoOpens a new window shares it is important to implement an encryption strategy that covers the entire infrastructure out to the edge.

While there’s no one playbook for companies building zero trust based network architecture, Microsoft’s Global CISO Bret Arsenault posited at RSA 2020 that zero-trust is a multi-year process for most companies, including them.

Learn More: Next Generation Networks – Are They Recursive Systems?Opens a new window

Industry experts lay down 5 points for implementing zero trust architecture:

1. Make zero trust core to the strategy: TemperedOpens a new window CEO Jeff Hussey

Zero Trust Network Access (ZTNA) with a Software-Defined Perimeter should be at the core of this new strategy. You won’t have to rip and replace, but you will be able to securely overlay networks, bolster security posture, reduce hardware costs of brittle VPNs and reduce complexity of hundreds of lines of code by reducing traditional firewalls.

2. Understand the difference between segmentation and micro-segmentation

To effectively mitigate against modern cyberattacksOpens a new window , organizations need to understand the difference between segmentation and micro-segmentation. There are significant differences between the two approaches to isolating network resources, and they are not interchangeable. With micro-segmentation you can limit internal access to networks and assets to only the employees, vendors, and contractors that need to reach those assets. It reduces the network attack surface by limiting east-west communication through the application of very granular security controls. This creates a Software-Defined Perimeter (SDP), regardless of whether it involves a virtual machine (VM), container, or function, which is not possible using traditional network segmentation techniques.

3. Leverage platform approach: Galeal Zino, CEO of NetFoundryOpens a new window

Rather than bespoke solutions, in which “networking security” constructs like SD-WAN, MPLS-WAN, VPN and firewalls are separate islands, IT can take a platform approach to business resiliency. For example, the various layers — from endpoint security to application security to networking security Opens a new window — can be unified by common identification, authentication and authorization policies, all centrally managed by IT, even though the apps are everywhere and anywhere.

4. Incorporate Software-Defined Perimeters (SDPs) to micro-segment: Tom Olzak, security researcher Opens a new window

Developed by Cloud Security Alliance (CSA) Software-defined Perimeter (SDP) is a security framework that controls access based on identity rather than location. By incorporating an SDP strategy, organizations can effectively micro-segment. Olzak argues that a zero trust network enabled as an SDP can better manage attacks against user devices and lateral movement of malicious actors across networks once a user device is compromised.

This is done by assuming every network segment (home/public networks, public hotspots, cloud services, and internal networks) is hostile. All sessions require point-to-point encryption between the user/device and a workload. User or device must authenticate to workloads after controller approval and trust level assessment. In addition to user authentication, all devices must also authenticate.

5. Leveraging cloud-native SDP to fight attacks: Micha RaveOpens a new window , Senior Director of Zero-Trust Product Management, Proofpoint

The cloud-native SDP allows the administrator to define granular, identity-based access policies for applications, services or subnets within each cloud. All access is logged and includes a fixed, user-device identity for comprehensive analytics and auditing. For employees accessing the network remotely, there is no reason to compromise on internet security. SDP use of split tunneling in the cloud directs internet traffic through a network security stack of the administrator’s choice that is delivered in the cloud to provide complete protection against attacks, including man in the middle attacks.

6. Evaluate SDP based on the model: Tom Olzak

Emerging SDP solutions support one or more of the four popular models: BeyondCorp, CARTA, ZTX, and the Cloud Security Alliance SDP model and all of these models achieve zero trust. During vendor evaluation, understand how the ZTNA addresses the model. By 2030 networks will be software-defined at every level from the radio to the application and every function will be a software process.

Learn More: Solving Man in the Middle Cyber Attacks with an Always-On Software Defined PerimeterOpens a new window

Wrapping Up

Implementing a zero-trust network architecture is an iterative process and requires networking, and security teams to work in tandem. While some organizations may have a high risk toleranceOpens a new window , sectors like healthcare and financial services are at a higher risk. Shifting employees home en masse has led to challenges in providing secure access to sensitive data.

Healthcare and financial services are wading in uncharted waters and need to establish a robust security architecture underpinned by strong identity management, multi-factor authentication, network segmentation and access controls. Meanwhile, the increased use of personal devices can also pose a challenge to data privacy issues, specifically for financial and healthcare data.

Carter recommends a top way to fight back against insider threats is to bring on solutions and software that will monitor the keystrokes of your employees. “Most employees do not have a clue about what is on their laptops when they’re working from home or from a remote location. Tracking their work habits to see what documentation they bring down from the corporate servers to their laptops can be a vital way to secure your organization,” he said.

About Deep Dive: Deep Dive presents an in-depth overview of an industry vertical, the growth of technology in that segment, its potential impact and how the player landscape is evolving. Join us to share your insights and research on where the technology and data are heading in the future.

Do you think zero trust networking is critical for the quarantine era? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!