The essential zero trust (ZT) approach to networking is that no user, device, or asset connected to the network in any way is inherently secure. Every connection is untrusted until it is proven trustworthy. Zero trust (ZT) networking takes into account the way today’s enterprises work, incorporating BYOD devices, remote work, cloud elements, and as-a-service solutions into cybersecurity consideration with continuous monitoring and authorization of every access attempt.
The traditional approach to cybersecurity builds a “fence” of safety around networks that give access to essential business assets so bad actors cannot break in and introduce malware and ransomware. This is often called perimeter security. There are flaws in this approach, however. No matter how secure the gateway, once through, the hacker has access to everything behind the firewall. In addition, the network perimeter has blurred in recent years, going beyond the traditional enterprise perimeter to accommodate remote work and SaaS applications.
Strategies such as multi-factor authentication (MFA) have strengthened the gateway, and that has been important, but those strategies have not resolved the danger in diverse networks. It may take more work to get through, but once inside, hackers can move laterally across the network and introduce ransomware or steal information.
Albert Einstein said that, “Problems cannot be solved with the same mindset that created them.” ZT is a different mind set that approaches security differently.
Perimeter security assumes a user or connection is trustworthy until security systems flag a breach. ZT in its purest form assumes that attackers are always close by, and that whether it is within the enterprise perimeter or not, no connection attempt is secure until it is authenticated.
ZT is an approach to cybersecurity and not an event or a set of services or products. Migration to ZT network security is a process over time. As you convert, you will likely continue to use some of the same products and services you are using now, but will use them in a different way. Most networks will end up being hybrid for a time as the security operations center (SOC) implements modernization projects. The only “pure” ZT network is one built from the very beginning based on ZT principles.
Because of this, a plan for converting to ZT is an important beginning point. The plan begins with identifying all assets, subjects, business processes, traffic flows, and dependencies within the enterprise infrastructure. Building in incremental projects helps map your progress and track success.
The plan should include all enterprise assets:
It should also include all subjects:
Adopting the Zero Trust approach has a number of considerations as you migrate your network. The following sections discuss a few steps you can take to bring your infrastructure closer to a ZT framework.
One of the basic tenets of ZT networking is microsegmentation. It is the practice of isolating workloads and securing them individually to limit access. In perimeter security, a breach gives hackers access to the entire network. Microsegmentation reduces the attack surface and limits the damage from a single breach.
Often, information and communications technology (ICT) devices such as cell phones, personal computers, email, or television have fixed operating systems (OSs) that cannot be patched for vulnerabilities. Operational technology (OT) devices such as industrial robots or medical equipment present a similar challenge. Yet they are increasingly integrated into enterprise workflows. Devices such as these must be isolated using tight policies to reduce the possibility of a breach.
Subnets are a discreet part of a larger network. They can improve network security, performance, and resiliency. They also need to be part of your ZT strategy to stop malware and other malicious tools. Make sure alerts and logs for subnetworks report into your consolidated console for investigation and resolution.
Before ZT, the techniques to establish security for remote connections were considered trustworthy until flagged. But security flaws in the most common techniques became increasingly apparent. Networks became more software-defined and mobility increased, especially during COVID-19. This resulted in unmanaged endpoints, unsanctioned SaaS, and unsecured SD-WANs.
Solutions for remote connections continue to evolve, but options are now available that offer cybersecurity solutions consistent with mobile work habits and the ZT approach.