Understanding Zero Trust Network Security
Zero trust networking is a simple concept: Don’t ever assume a device is safe.
The traditional network security approach is securing the perimeter and trusting all activity that has passed by the checkpoint. This could be likened to a mote that surrounds the castle. Everything outside the castle is potentially dangerous. But once you’re inside the castle, things are safe.
The problem with this traditional approach is that there are too many opportunities for trojan horses and other security breaches beyond the network perimeter. The castle is never fully secure, even when you’re inside. That’s the idea behind zero trust networking.
What this means in practice is that nothing is trusted. Every device and data stream is authenticated and monitored in real-time. Zero trust advocates focus on achieving this by segmenting the network into a series of ongoing moats and building security into all parts of the network fabric—including strictly enforcing access controls based on a need-to-know basis.
For the most part, zero trust network security does a good job of defending against infiltration. But it isn’t easy to pull off.
“Unlike other security tactics implemented over the last couple of decades, it actually works,” notes Jay Barbour, director of security product management for software-defined network security firm, Masergy. “It’s not easy, but as organizations work to address security issues, it’s the best approach. It will ultimately better safeguard businesses for the future.”
The Importance of Network Segmentation
Zero trust network security starts with trust zones.
“Trust zones are comprised of distinct pockets of infrastructure that have resources that operate at the same trust level and similar functionality,” explains Bill Conner, CEO of network security firm, SonicWall. “This could be elements such as protocols and types of transactions which will minimize the pathways and limit malicious threats.”
The reason for these trust zones is so no security issue makes it very far across the network. If there is a breach, it largely is contained within its segment of the network. Through these segments, enterprise IT also is better able to monitor and the control access that improves security.
“By defining trust boundaries, enterprises are able to granularly control traffic flow, which creates secure network access and implements network monitoring,” notes Conner.
Authentication at All Times
The second leg of a zero trust networking approach is complete device identification.
Rooted in the principle of “never trust, continuously verify,” zero trust uses precise identity verification for every person or entity attempting to access network resources, regardless of whether the person or entity is in the office bound by the network perimeter or accessing the network remotely. This helps enterprise security teams spot entities that should not be on the network, and better understand the expected actions of each person and device.
“Sound access control policies are a great first step to a zero trust environment,” suggests Larry Lunetta, vice president of WLAN and security solutions marketing for network security firm, Aruba.
Centralized Monitoring
The last major component of zero trust networking is monitoring all network activity in real-time for suspicious or unexpected behavior. If everything is suspect, everything should be monitored.
“Even with rigorous segmentation and zero trust architectures, attacks can still happen,” notes Barbour. “Therefore, ongoing monitoring of sensitive systems in zero trust environments is still needed to detect incidents early.”
That requires a centralized security management solution.
“Management infrastructure allows organizations to efficiently monitor the network via centralized management capabilities, allowing data to be processed by tools that will enhance visibility and detect unknown threats to support compliance reporting,” explains Conner.
This monitoring extends beyond just the network, and should include application access. By fully auditing, recording and monitoring each application session, enterprises can create secure application-level access, according to Conner. This will minimize the attack surface, as it creates a distributed security solution that operates as a holistic threat protection framework even while centralized security management watches over the network.
Zero Trust is a Journey, Not a Destination
While zero trust networking is one of the most effective means for avoiding IT security issues, getting there isn’t easy. There’s no single vendor solution that gets a business there, and legacy infrastructure is a major impediment.
“Expecting to reach a zero trust state with all the legacy infrastructure is not practical,” says Lunetta. “Organizations should focus on a framework like the NIST Zero Trust Architecture and view zero trust not as a current destination, but as a goal that can be reached incrementally.”
This journey starts with fully understanding the threat landscape for the business, and building out zero trust slowly with new technology and an incremental approach.
“First and most important is to understand your assets, then build a good threat model,” explains Vladimir Dashchenko, head of the ICS CERT Vulnerability Research Team at security vendor, Kaspersky Lab. “Only after that can businesses decide if one or another technology is needed or not.”
Zero trust networking is as much a holy grail as it is a practical reality. Some businesses are there already, but most are not. That’s less important than moving in the right direction.
