Zero Trust Networking (ZTN) – I want to be ghosted
It’s a fact, that security consultants carrying out audits are going to see a common theme. There will always be a remediation element and the default line is that you need to segment. There will always be the need for user and micro-segmentation of high-value infrastructure in sections of the networks.
Micro-segmentation is pretty hard to do without Zero Trust Networking (ZTN). ZTN is a very dynamic, and user-centric way of micro-segmentation, which is needed for high-value infrastructure which can’t be moved such as an AS/400. You can’t just pop an AS/400 in the cloud and expect everything to be ok.
Problems with traditional constructs
If we roll back the clock. VLANs were never used for segmentation. Their sole purpose was to device broadcast domains, to improve network performance. The segmentation piece came much later on. Access control policies were carried out on a port-by-port and VLAN-by-VLAN basis. This would involve the association of a VLAN with an IP subnet to enforce subnet control, regardless of who the users were.
Also, TCP/IP was designed in a “safer” world based on an implicit trust mode of operation. It has a “connect first and then authenticate second” approach. This implicit trust model can open you up to a number of compromises. ZTN changes this model and is all about “authenticate first and then connect”. It is based on the individual user, instead of the more traditional IP addresses and devices.
In addition, firewall rules are binary and static. They simply state should this IP block have access to this network (Y/N)? That’s not enough as today’s environment has become very diverse and distributed.
Let us face it. Traditional constructs have not kept pace or evolved with today’s security challenges. The perimeter is gone and as a result, we need to keep all services ghosted until efficient contextual policies have been granted.
One of the main challenges customers have right now is that their environments are changing. They are moving to the cloud and to containerized environments. This surfaces many security questions, from an access control perspective. Especially in a hybrid infrastructure where you have traditional data centers with legacy systems, along with highly scalable systems all at the same time. An effective security posture is all about having a common way to enforce a policy based control and contextual access policy around user and service access.
When organizations transition into these new environments they end up having to use multiple tools sets. These tools sets are not very contextual as to how to they operate. For example, what you may have amazon web services (AWS) security groups that define a group of IP address ranges that can gain access to a particular virtual private cloud (VPC). This isn’t very granular or has any associated identity or device recognition capability. Also, developers in these environments are massively over titled and we struggle as to how we control them.
Trust and verify model vs Zero Trust Networking (ZTN)
If you look at how VPN has worked, you have this trust and verify model, you connect to the network and then you can be authorized. The problem with this approach is that you are already able to see a lot of the attack surface from an external perspective. This can be potentially be used to move laterally around the infrastructure to access critical assets.
ZTN capabilities are focused more on a contextual identity-based model. For example, who is the user, what are they doing, where are they coming in from, is their endpoint up to date from threat posture perspectives and what is the rest of your environment saying about these endpoints? Once all this is done, they are entitled to communicate, which is similar to granting a conditional firewall rule which is based on a range of policies, not just a Y/N! i.e has there been a malware check in the last minute or been 2-factor authentication process etc.
I envision a ZTN solution with a number of components. There will be a client which effectively communicates to a controller, and then there will be a gateway. The gateway acts as the enforcement point used to logically segment the infrastructure that you are looking to protect. The enforcement point could be in front of a specific set of applications or subnets that you want to segment.