The traditional approach to cybersecurity builds a “fence” of safety around networks that give access to essential business assets so bad actors cannot break in and introduce malware and ransomware. This is often called perimeter security. There are flaws in this approach, however. No matter how secure the gateway, once through, the hacker has access to everything behind the firewall. In addition, the network perimeter has blurred in recent years, going beyond the traditional enterprise perimeter to accommodate remote work and SaaS applications.
Strategies such as multi-factor authentication (MFA) have strengthened the gateway, and that has been important, but those strategies have not resolved the danger in diverse networks. It may take more work to get through, but once inside, hackers can move laterally across the network and introduce ransomware or steal information.
Albert Einstein said that, “Problems cannot be solved with the same mindset that created them.” ZT is a different mind set that approaches security differently.
Perimeter security assumes a user or connection is trustworthy until security systems flag a breach. ZT in its purest form assumes that attackers are always close by, and that whether it is within the enterprise perimeter or not, no connection attempt is secure until it is authenticated.
ZT is an approach to cybersecurity and not an event or a set of services or products. Migration to ZT network security is a process over time. As you convert, you will likely continue to use some of the same products and services you are using now, but will use them in a different way. Most networks will end up being hybrid for a time as the security operations center (SOC) implements modernization projects. The only “pure” ZT network is one built from the very beginning based on ZT principles.
Because of this, a plan for converting to ZT is an important beginning point. The plan begins with identifying all assets, subjects, business processes, traffic flows, and dependencies within the enterprise infrastructure. Building in incremental projects helps map your progress and track success.
The plan should include all enterprise assets:
- Infrastructure components
- Virtual components
- Cloud components
It should also include all subjects:
- End users
- Non-human entities that request information
Adopting the Zero Trust approach has a number of considerations as you migrate your network. The following sections discuss a few steps you can take to bring your infrastructure closer to a ZT framework.
One of the basic tenets of ZT networking is microsegmentation. It is the practice of isolating workloads and securing them individually to limit access. In perimeter security, a breach gives hackers access to the entire network. Microsegmentation reduces the attack surface and limits the damage from a single breach.
Isolate vulnerable technology
Often, information and communications technology (ICT) devices such as cell phones, personal computers, email, or television have fixed operating systems (OSs) that cannot be patched for vulnerabilities. Operational technology (OT) devices such as industrial robots or medical equipment present a similar challenge. Yet they are increasingly integrated into enterprise workflows. Devices such as these must be isolated using tight policies to reduce the possibility of a breach.
Subnets are a discreet part of a larger network. They can improve network security, performance, and resiliency. They also need to be part of your ZT strategy to stop malware and other malicious tools. Make sure alerts and logs for subnetworks report into your consolidated console for investigation and resolution.
Secure remote access
Before ZT, the techniques to establish security for remote connections were considered trustworthy until flagged. But security flaws in the most common techniques became increasingly apparent. Networks became more software-defined and mobility increased, especially during COVID-19. This resulted in unmanaged endpoints, unsanctioned SaaS, and unsecured SD-WANs.
- Virtual private network (VPN) – VPN connection safeguards stopped at the edge and yet granted the user access to the entire network. They created an illusion that they were trustworthy. VPN security also didn’t connect well with increasingly-used software-defined networks.
- Cloud Access Security Broker – the main issue with CASB was the fixed nature of its security precautions. While software-defined networks were increasingly fluid and employees were more mobile, security precautions couldn’t flex as needed.
- Secure web gateway (SWG) – SWGs presented issues with employees who worked from anywhere.
Solutions for remote connections continue to evolve, but options are now available that offer cybersecurity solutions consistent with mobile work habits and the ZT approach.
- Secure access service edge (SASE) – SASE falls under the ZT umbrella and spells out ZT principles for particular sections of the enterprise. Analyst firm Gartner uses this term. SASE solutions components can vary but typically consists of CASB, SWG, ZTNA, and SD-WAN technologies to provide access to both private (within a corporate datacenter or IaaS) or public SaaS applications.
- Zero trust edge (ZTE) – this is a different label for SASE. Analyst firm Forrester uses this term.
- Zero Trust network access (ZTNA) – ZTNA falls within the definition of SASE or ZTE, and is a cloud-based ZT security solution that only gives users access to applications for which they are specifically authorized. Consistent with the ZT approach, this limits damage if there is a breach. Like VPN, ZTNA encrypts data for security, but it offers a significantly improved user experience and is much more flexible.