Microsegmentation and Zero Trust

Francis O’Haire at DataSolutions describes a match made in security heaven

 

Zero Trust is an IT security framework or strategy leveraging several technologies and processes. To put it simply, ZT literally assumes that nobody or no ‘thing’ can be trusted - it assumes that individuals, devices, and services that are attempting to access company resources (inside or outside the network), cannot automatically be trusted. To make things even more secure, users and devices are verified every time they request access, irrespective of previous authentication.

 

These days, when many hear “Zero Trust” they often immediately think of Zero Trust Network Access (ZTNA) which is one of the more common components of a Zero Trust architecture, but only governs access from remote users to corporate applications or resources.

 

From a vendor’s perspective, it is difficult to label any single one product or service as a comprehensive Zero Trust solution. Organisations who want more benefits from a ZT framework must take further steps and deploy other ZT technologies depending on the priorities of the business and their current security infrastructure.

 

Security at the edge

ZTNA only deals with security at the edge for traffic into and out of a network. We call this North-South traffic. However, East-West network traffic, which includes all the communication between internal systems, can make up over 80% of a business’ total network data flows. In a true Zero Trust architecture, this traffic should also be governed by the principles of Zero Trust since it can’t be assumed that an attacker has not already breached the perimeter defences. 

 

In fact, the concept of Zero Trust was originally devised to move away from the habit of only thinking about perimeter security when, in reality, attackers are routinely gaining access to the internal network where they can roam around freely in search of valuable data and systems to compromise.

 

A best practice commonly used in the past has been to break the internal network into segments using VLANs, switches and/or firewalls to restrict what communications can happen between these zones and limit any lateral movement of attackers. In modern, highly virtualised, and dynamic network environments, this approach can have limited benefits as well as being very difficult to manage and monitor.

 

And so, to apply the principles of Zero Trust to East-West traffic, the concept of microsegmentation was conceived (you could say that microsegmentation is the architectural design that helps facilitate zero trust).

 

As the name would suggest, this concept allows the network to be segmented into much smaller zones and ultimately right down to individual hosts or virtual machines (in the case of traditional IT systems), and down to individual containers or micro-services (in the case of cloud architectures). With microsegmentation, individual components within the network are only allowed to communicate with each other after being properly authenticated and only according to specific policies.

 

Combining zero-trust and microsegmentation

Adopting microsegmentation as a foundational element in a Zero Trust strategy helps to deal with one of the significant challenges facing today’s enterprise-level businesses today - securing workloads in dynamic environments. By adopting the Zero Trust model, organisations can move away from traditional perimeter-based network security which is far from ideal when faced with the challenge of an increasing number of remote workers and cloud environments.

 

Microsegmentation supports the model by splitting the network into smaller zones, building a micro perimeter around each resource ensuring individual security and by offering upgraded network visibility and more robust access controls.

 

With the adoption of Zero Trust principles being included in the requirements for “basic cyber hygiene” in the soon-to-be enforced EU-wide NIS2 Directive, Zero Trust should no longer be a long-term goal for organisations. It should be adopted as a matter of urgency.

 

And where ZTNA is the best approach for controlling access from external users, microsegmentation should be adopted as the foundation for applying Zero Trust principles to all other network traffic in an organisation.

 

 

Wider cyber-security strategy

We need to remember that microsegmentation is not a strategy on its own. Instead, it should be part of a larger data access and security strategy. That’s because microsegmentation is a feature that only governs the network, whereas your larger data security strategy includes security controls on other layers such as endpoint protection, two factor authentication (2FA), Privileged Access Management (PAM), intrusion detection, and more.

 

A wider cyber-security strategy involves multiple elements – risk assessment, security policies, network security, endpoint security and incident response. Microsegmentation assists with network security with its ability to divide networks into segments, allowing each segment to have its set of security policies.

 

Given the increasing sophistication of cyber-attacks, however, many organisations are looking into a Zero Trust game plan to strengthen their respective security postures and gain extended visibility into the network.

 

Microsegmentation is one method that can provide comprehensive cloud infrastructure protections, advanced threat detection and defence against lateral movements to augment a Zero Trust strategy. 

 

You could say it’s a match made in security heaven.

 

---

 

Francis O’Haire is Group Technology Director at DataSolutions

 

Main image courtesy of iStockPhoto.com