Tips on building an actual Zero Trust environment in a complex hybrid world
Networks are more complicated than ever, as a result of organisations having to integrate corporate networks, mobile connections, cloud and edge connectivity, and protecting a hybrid working environment as they support more remote workers, writes Tony Scott, board member ColorTokens, former CIO for the Obama Administration
The threat from the increasing numbers of cyber attacks that are also constantly evolving makes the job of network engineers and security professionals that more difficult too. With ransomware increasingly fatal to data stores when it is allowed to roam uncontrolled across company networks, something has to be done now and it has to be done quick to stop such threats in their tracks.
Lateral flow test
The increasing spread of zero day attacks that can not be stopped at security perimeters calls for a solution that can prevent the lateral flow of malware across organisations’ networks, and that solution is zero trust network access (ZTNA). ZTNA technology is primed to locate, manage and quarantine threats like ransomware, curtailing widespread damage to firms’ networks, servers and databases. A zero trust approach assumes that every IT user, gadget and data packet on the network is a potential threat, and essentially interrogates them all before allowing them to pass through the network with the right credentials.
Sounds good? But how do organisations deploy such technology correctly, efficiently and safely? There are three stages to successfully rolling out ZTNA, and these include visibility, segmentation and building up your protection – your muscle.
To start, you need complete granular visibility of your complex hybrid network, as you can’t protect what you can’t see. Firms need to eliminate all their blind spots first and then see what they need to control.
A full-picture view of all networks within the organisation is needed. You must have visibility into the applications, workloads and processes going over those networks, including a thorough understanding of multi-cloud or on-premise data centres where assets are distributed across geographies.
All access requests should be verified according to defined security policies before authorisation. Considering the complexity of enterprise networks, the implementation of ZTNA can be simplified by deploying solutions that allow context-based, dynamic policy enforcement.
360-degree visibility can only be achieved with agents that collect telemetry data and use a centralised dashboard, which provides accurate visualisation of all managed resources in a single window.
For security management to be effective, enterprises need to have the ability to customise the visibility of subnets, endpoints, applications and other managed resources. Views based on location and environment can enable quick containment of possible threats.
Visibility into assets is equally vital. This is possible only with a centralised view and control of all assets across on-premise and cloud environments. The solution must have provision for detailed information into hardware utilisation, application, running services and users and provide for integration with key third-party solutions for the business, such as the configuration management database (CMDB), Azure, AWS and VMware.
Policy simulation can help security teams gain an understanding of the impact of policies before enforcing them.
Today’s advanced and automated security technologies can help businesses achieve this level of visibility relatively quickly.
With a 360-degree view of your networks achieved, businesses can move on to the next step, namely dividing networks into logical segments in line with the infrastructure and business needs of the organisation – otherwise known as network segmentation.
Segmentation is the practice of dividing networks into different segments with complete control of the traffic going through and between those segments. The goal is to prevent threats from spreading through an organisation.
However, hardware-based solutions for this are not seen as effective. They can be resource-intensive, involve unnecessary complexity and can prove costly.
Segmentation using subnets, a hypervisor and firewalls is not very scalable in multi-cloud and hybrid cloud environments. Configuring new assets is resource-intensive and can create challenges in implementation.
VMs located on the hypervisor are not platform agnostic and do not communicate with other resources in a multi-vendor environment. And the hypervisor needs protection to comply with the enterprise security policy.
Capital-intensive advanced firewalls are required to segment the network and ensure no performance degradation in data throughput. This also requires creating and managing thousands of firewall rules, but multi-vendor resources may not be compatible with these rules.
Alternatively, software-defined segmentation offers accelerated implementation with automated policy recommendations, scalability and improved interoperability.
Organisations can gain reusable security policy templates, server roles and resource access parameters, creating a corporate policy template to enforce faster implementation.
They can map business applications to server roles, security and connection information across multi-cloud and hybrid environments. Dynamic policy tools also adapt faster to the changing IT environment.
Also, a platform-agnostic implementation can run across bare-metal servers, end-user computers or cloud-hosted virtual machines, containers or instances. Users should also see seamless integration with identity apps, SIEM apps and vulnerability tools.
So, with just a few clicks, a software-based solution can create zero trust secure zones (micro-perimeters) around critical assets with least-privilege policies to enable the micro-segmentation required.
This means that regardless of whether a business’ workloads are stored in a data centre or in the cloud, organisations can implement and scale zero trust security across their already-established infrastructure with relative ease.
3: Building the muscle
Anything worth doing requires learning, practice and refining, and zero trust network access is no exception. It doesn’t just mean installing software and walking away. It represents an entirely new security strategy and thus significant change to your processes, so it’s important to “build the muscle” as you go.
While software-defined micro-segmentation can help businesses to build this muscle quicker, there are other obstacles to success that have to be gradually moved.
You should start with a small, manageable patch of network territory and practice learning with new ZTNA tools before rolling them out to the entire organisation. As previously mentioned, a policy engine can make recommendations for you and allow you to test policies in simulation mode, removing uncertainty and apprehension.
If you’re in health, for instance, you might focus first on improving compliance with healthcare regulations such as HIPAA. Other users could focus on data privacy laws such as the European Union’s General Data Protection Regulation (GDPR). Find the most compelling or critical use cases, and then use what you learn to grow muscle from there.
Often in organisations, you’ll have some people who are really adept in a certain domain – server or cloud administration or end-user device administration, for instance – but don’t know that much about “brother and sister” domains.
Really good implementations of zero trust help to break down some of those barriers and educate people across domains so they can work together to implement better security than before, helped by greater visibility of the different systems in place.
Once they’ve built the muscle, businesses will move quickly in scaling zero trust implementations. It’s unlikely that you’ll get it right instantly, but you will get better and quicker as you go.
So we now have a roadmap towards achieving a zero trust environment, and the good news is that it’s achievable through deploying a one-stop shop ZTNA system, that can address and deliver all the technical and business needs we have mentioned.