The National Security Agency (NSA) of the United States has provided its guidelines for Zero Trust network security this week, offering a more concrete roadmap towards Zero Trust adoption. It is an important effort to try to bridge the gap between desire and implementation of the concept.
As businesses move more and more workloads to the cloud, Zero Trust Computing strategies have moved from hype to enjoying the status of an essential security approach. But even so, the notion of “not trusted until verified” is still slow to catch on in the real world (although in some areas, such as the United Arab Emirates, Zero Trust adoption is accelerating).
John Kindervag, who was the first to define the term “zero trust”. in 2010, when he was an analyst at Forrester Research, he welcomed the NSA’s move, noting that “very few organizations have understood the importance of network security controls in creating zero-trust environments, and this document goes a long way toward helping organizations to understand their needs”. value.”
It will also “greatly help various organizations around the world more easily understand the value of network security controls and make it easier to create and operate zero-trust environments,” says Kindervag, who joined Illumio last year as a leading evangelist, where he continues to promote the concept of zero trust.
Zero Trust Centers on Network Segmentation
The NSA document contains many recommendations on Zero Trust best practices, including, crucially, segmenting network traffic to prevent adversaries from moving around a network and gaining access to critical systems.
The concept isn’t new: IT departments have been segmenting their enterprise network infrastructure for decades, and Kindervag has been advocating network segmentation since its original Forrester report, which stated that “all future networks will need to be segmented by default.”
However, as Carlos Rivera and Heath Mullins of Forrester Research said report from last autumn“No single solution can provide all the capabilities needed for an effective Zero Trust architecture. Gone are the days when enterprises lived and operated within the confines of a traditional perimeter-based network defense.”
In the age of clouds, zero trust is exponentially more complex achieve than before. Perhaps this is why less than a third of respondents turn to Akamai 2023 State of Segmentation Report since last fall they have segmented into more than two critical business areas over the past year.
To ease some of the pain, the NSA explains how to perform network segmentation checks through a series of steps, including mapping and understanding data flows and implementing software defined networking (SDN). Each step will require a lot of time and effort to understand which parts of an enterprise network are at risk and how to best protect them.
“The important thing to keep in mind with Zero Trust is that it is a journey and something that needs to be implemented using a methodical approach,” cautions Garrett Weber, field CTO of Akamai’s Enterprise Security Group.
Weber also notes that there has been a shift in segmentation strategies. “Until recently, implementing segmentation was too difficult to do with hardware alone,” he says. “Now, with the move to software-based segmentation, we see organizations being able to achieve their segmentation goals much more easily and efficiently.”
Go further with network micro-segmentation
The NSA document also distinguishes between macro and micro grid segmentation. The former controls traffic that moves between departments or workgroups, so an IT worker does not have access to, for example, HR servers and data.
Micro-segmentation further separates traffic, so that not all employees have the same data access rights unless explicitly requested. “This involves isolating users, applications, or workflows into individual network segments to further reduce the attack surface and limit the impact in the event of a breach,” according to the Akamai report.
Security managers “should take steps to use micro-segmentation to focus on their applications, to ensure that attackers cannot bypass controls subvert Single Sign on Accessusing side-loaded accounts or finding ways to expose data to external users,” says Brian Soby, CTO and co-founder of AppOmni.
This helps define security controls based on what is needed for each particular workflow, as outlined in Akamai’s report. “Segmentation is good, but microsegmentation is better,” the authors said.
This may be a complex undertaking, but it’s worth the effort: In Akamai’s report, researchers found that “perseverance pays off. Segmentation has been shown to have a transformative effect on the defense of those who had segmented the majority of their critical assets, allowing them to mitigate and contain ransomware 11 hours faster than those with a single segmented asset.”
Kindervag continues to support the Zero Trust principle. Part of its attraction and longevity is that it’s a simple concept to understand: people and endpoints don’t gain access to services, apps, data, clouds or files unless they demonstrate they are authorized to do so, and, even then, access is only granted for the necessary period of time.
“Trust is a human emotion,” he said. “People didn’t understand it when I first proposed it, but it’s about managing danger rather than risk and closing gaps in your security.”