An authenticated network flow must be processed before it can be processed

Whenever a zero-trust network receives a packet, it is considered suspicious. Before data can be processed within them, they must be rigorously inspected. Strong authentication is our primary method for accomplishing this.

Authentication is required for network data to be trusted. Possibly the most critical component of a zero-trust network. In the absence of it, we must trust the network.

All network flows SHOULD be encrypted before transmission

It is trivial to compromise a network link that is physically accessible to unsafe actors. Bad actors can infiltrate physical networks digitally and passively probe for valuable data by digitally infiltrating them.

When data is encrypted on the device, the attack surface is reduced to the device’s application and physical security, which is the device’s trustworthiness.

The application-layer endpoints MUST perform authentication and encryption

Application-layer endpoints must communicate securely to establish zero-trust networks since trusting network links threaten system security. When middleware components handle upstream network communications (for example, VPN concentrators or load balancers that terminate TLS), they can expose these communications to physical and virtual threats. To achieve zero trust, every endpoint at the application layer must implement encryption and authentication.

The Role of Segmentation

It’s a fact that security consultants carrying out audits will see a common theme. There will always be a remediation element; the default line is that you need to segment. There will always be the need for user and micro-segmentation of high-value infrastructure in sections of the networks. Micro-segmentation is hard without Zero Trust Network Design and Zero Trust Security Strategy.

User-centric

Zero Trust Networking (ZTN) is a dynamic and user-centric method of microsegmentation for zero trust networks, which is needed for high-value infrastructure that can’t be moved, such as an AS/400. You can’t just pop an AS/400 in the cloud and expect everything to be ok. Recently, we have seen a rapid increase in using SASE, a secure access service edge. Zero Trust SASE combines network and security functions, including zero trust networking but offering from the cloud.

For pre-information, you may find the following posts helpful:

1. Technology Insight for Microsegmentation

Back to basics with Zero Trust Networking

Traditional network security

Traditional network security architecture breaks different networks (or pieces of a single network) into zones contained by one or more firewalls. Each zone is granted some level of trust, determining the network resources it can reach. This model provides solid defense in depth. For example, resources deemed riskier, such as web servers that face the public internet, are placed in an exclusion zone (often termed a “DMZ”), where traffic can be tightly monitored and controlled.

Critical Principles of Zero Trust Networking:

1. Least Privilege: Zero trust networking enforces the principle of least privilege, ensuring that users and devices have only the necessary permissions to access specific resources. Limiting access rights significantly reduces the potential attack surface, making it harder for malicious actors to exploit vulnerabilities.

2. Microsegmentation: Zero trust networking leverages microsegmentation to divide the network into smaller, isolated segments or zones. Each segment is an independent security zone with access policies and controls. This approach minimizes lateral movement within the network, preventing attackers from traversing and compromising sensitive assets.

3. Continuous Authentication: In a zero-trust networking environment, continuous authentication is pivotal in ensuring secure access. Traditional username and password credentials are no longer sufficient. Instead, multifactor authentication, behavioral analytics, and other advanced authentication mechanisms are implemented to consistently verify the legitimacy of users and devices.

Benefits of Zero Trust Networking:

1. Enhanced Security: Zero trust networking provides organizations with an enhanced security posture by eliminating the assumption of trust. This approach mitigates the risk of potential breaches and reduces the impact of successful attacks by limiting lateral movement and isolating critical assets.

2. Improved Compliance: With the growing number of stringent data protection regulations, such as GDPR and CCPA, organizations are under increased pressure to ensure data privacy and security. Zero trust networking helps meet compliance requirements by implementing granular access controls, auditing capabilities, and data protection measures.

3. Increased Flexibility: Zero trust networking enables organizations to embrace modern workplace trends, such as remote work and cloud computing, without compromising security. Zero-trust networking facilitates secure access from any location or device by focusing on user and device authentication rather than network location.

Challenges to Consider:

While zero-trust networking offers numerous benefits, implementing it can pose particular challenges. Organizations may face difficulties redesigning their existing network architectures, ensuring compatibility with legacy systems, and managing the complexity associated with granular access controls. However, these challenges can be overcome with proper planning, collaboration, and tools.

Microsegmentation for Zero Trust Networks

Suppose we roll back the clock. VLANs were never used for segmentation. Their sole purpose was to divide broadcast domains and improve network performance. The segmentation piece came much later on. Access control policies were carried out on a port-by-port and VLAN-by-VLAN basis. This would involve the association of a VLAN with an IP subnet to enforce subnet control, regardless of who the users were.

Also, TCP/IP was designed in a “safer” world based on an implicit trust mode of operation. It has a “connect first and then authenticate second” approach. This implicit trust model can open you up to several compromises. Zero Trust and Zero Trust SDP change this model to “authenticate first and then connect.”

It is based on the individual user instead of the more traditional IP addresses and devices. In addition, firewall rules are binary and static. They state that this IP block should have access to this network (Y/N). That’s not enough, as today’s environment has become diverse and distributed.

Let us face it. Traditional constructs have not kept pace or evolved with today’s security challenges. The perimeter is gone, so we must keep all services ghosted until efficient contextual policies are granted.

Organizational challenges

One of the main challenges customers have right now is that their environments are changing. They are moving to cloud and containerized environments. This surfaces many security questions from an access control perspective, especially in a hybrid infrastructure where you have traditional data centers with legacy systems, along with highly scalable systems, all at the same time.

An effective security posture is all about having a common way to enforce a policy-based control and contextual access policy around user and service access.

When organizations transition into these new environments, they must use multiple tool sets, which are not very contextual in how they operate. For example, you may have Amazon Web Services (AWS) security groups defining IP address ranges that can gain access to a particular virtual private cloud (VPC).

This isn’t granular or has any associated identity or device recognition capability. Also, developers in these environments are massively titled, and we struggle with how to control them.

Trust and Verify Model vs. Zero Trust Networking (ZTN)

If you look at how VPN has worked, you have this trust and verify model, connect to the network, and then you can be authorized. The problem with this approach is that you can already see much of the attack surface from an external perspective. This can potentially be used to move laterally around the infrastructure to access critical assets.

Zero trust networking capabilities are focused more on a contextual identity-based model. For example, who is the user, what are they doing, where are they coming in from, is their endpoint up to date from threat posture perspectives, and what is the rest of your environment saying about these endpoints?

Once all this is done, they are entitled to communicate, similar to granting a conditional firewall rule based on a range of policies, not just a Y/N. For example, has there been a malware check at the last minute, a 2-factor authentication process, etc.?

I envision a Zero Trust Network ZTN solution with several components. A client will effectively communicate with a controller and then a gateway. The gateway acts as the enforcement point used to segment the infrastructure you seek to protect logically. The enforcement point could be in front of a specific set of applications or subnets you want to segment.

Zero-trust networking provides a proactive and comprehensive security approach in a rapidly evolving threat landscape. By embracing the principles of least privilege, microsegmentation, and continuous authentication, organizations can enhance their security posture and protect their critical assets from internal and external threats. As technology advances, adopting zero-trust networking is not just a best practice but a necessity in today’s digital age.