Ready to Start Your Career?
January 11, 2017
Your Girlfriend Has Already Adopted the Zero Trust Model: Here’s Why you Should Too
January 11, 2017
“Never trust, always verify” is shifting from the adage of crazy girlfriends everywhere to the motto of cyber security experts across the globe.The Zero Trust Model of cyber security is one that focuses on the belief that both internal and external networks cannot be trusted. A term originally coined by Forrester Research, "Zero Trust," is a data-centric network design. It puts micro-perimeters around specific data or assets so that more-granular rules can be enforced. “With Zero Trust there is no default trust for any entity — including users, devices, applications, and packets — regardless of what it is and its location on or relative to the corporate network.”What’s more, Zero Trust networks solve the "flat network" problem that allows attackers to move undetected inside corporate networks, stealing sensitive data.By establishing Zero Trust boundaries that compartmentalize various segments of the network, you can protect intellectual property from unauthorized applications or users, reduce the exposure of vulnerable systems, and prevent the movement of malware throughout your network.While a relatively older model, first debuted in 2009, it is still being talked about due to the lack of adoption by organizations but presumed benefits.If you’re wondering, “why the hesitation?”“Full implementation of the Zero Trust model in the enterprise world requires multiple switch stacks connected to a high-speed core to handle the segmentation, often made up of multiple appliances or software packages. This approach is complex and expensive, and thus beyond the current reach of much of the business world,” states ComputerWorld.com.Before we delve into what this model can accomplish, and how to go about it in a more manageable way, let’s look at the basics.Subnetting is the strategy used to partition a single physical network into more than one smaller logical sub-networks (subnets). An IP address includes a network segment and a host segment.Micro-segmentation refers to the process of segmenting a collision domain into various segments. Micro-segmentation is mainly used to enhance the efficiency or security of the network.Distributed firewall is a host-resident security software application that protect the enterprise network's servers and end-user machines against unwanted intrusion. They offer the advantage of filtering traffic from both the Internet and the internal network. This enables them to prevent hacking attacks that originate from both the Internet and the internal network.Service Composer is a built-in tool that defines a new model for consuming network and security services; it allows you to provision and assign firewall policies and security services to applications in real time in a virtual infrastructure.So, how exactly does the Zero Trust Model work from a technical standpoint?Netwrokinferno.net recommends the use of micro-segmentation whereby the distributed firewall allows administrators “to wrap security controls around the virtual machine itself, removing the dependence on in-guest firewalling which is often easily compromised by application based exploits. In addition, having a firewalling capability… at the point of entry to the network allows for a vastly different approach to the traditional multi-tier app equals multiple-subnets in the network…”“Segmentation is based on how data is being used, which enables the aggregation of similar virtual machines and the ability to secure virtual machines by default,” said John Kindervag, principal analyst at Forrester Research.With distributed firewall, a single layer network segment can now be split into “micro-segments” where all that’s needed is a security policy to define the different application tiers.Next, you implement a service composer to provision and assign firewall policy and security services to applications in a virtual infrastructure. You map these services in the form of a policy.Of course, I’m only scratching the surface of technical detail, but hopefully the general concept is clear.My main point is to discuss how beneficial this model seems to be and educate you on some of the concepts that make it possible.Now, I want to share a simple list for how organizations can implement Zero Trust, assuming they have the means to do so.
- Identify toxic data
- Map how that data flows
- Build your Zero Trust network
- Create your automated rule base
- Monitor your network