Share this article on:
Neil MacDonald from Gartner explains how organisations can employ a zero-trust strategy across their network.
Security models once depended on a “castle and moat” type of architecture, with the enterprise network and data centre on the inside, and firewalls guarding the perimeter. Anything located on the outside was considered untrusted. Anything on the inside was considered trusted.
This approach is now redundant given an increasing number of threats are coming from sources within the organisation.
With hybrid and remote working picking up pace, the sources for risks are location independent and can emerge from anywhere. For this reason, the concept of “zero trust” is gaining wide popularity among security products.
It is useful as a shorthand way of describing an approach where implicit trust is removed from all computing infrastructure. Instead, trust levels are explicitly and continuously calculated, then adapted to allow just-in-time, just-enough access to enterprise resources.
Zero trust is a way of thinking, not a specific technology or architecture. It is really about zero implicit trust, as that’s what we want to get rid of. A complete zero-trust security posture may never be fully achieved, but specific initiatives can be undertaken today.
As organisations look to implement zero trust, it is important they start with network-related security projects. Why start with the network?
TCP/IP network connectivity was built in a time when trust could be assumed. It was built to connect people and organisations, not to authenticate. Network addresses are weak identifiers at best. Zero-trust networking initiatives use identity as the foundation for new perimeters.
Zero trust network access
In the past, when users left the “trusted” enterprise network, VPNs were used to extend the enterprise network to them. If attackers could steal a user’s credentials, they could easily gain access to the enterprise network.
Zero trust network access (ZTNA) abstracts and centralises access mechanisms so that security engineers and staff can be responsible for these. It grants appropriate access based on the identity of the humans and their devices, plus other context such as time and date, geolocation, historical usage patterns and device posture. The result is a more secure and resilient environment, with improved flexibility and better monitoring.
The shift to a largely, remote workforce during the COVID-19 pandemic has created intense interest in ZTNA, with media headlines proclaiming: "The VPN is dead."
Although VPN replacement is a common driver for its adoption, ZTNA typically augments, rather than replaces a VPN. By allowing users access to what they need, and by shifting to cloud-based ZTNA offerings, you can avoid overloading your VPN infrastructure.
Longer term, this ZTNA security posture can continue to be used when people return to the office.
Identity-based segmentation
Identity-based segmentation, also known as micro or zero trust segmentation, is an effective way to limit the ability of attackers to move laterally in a network once they have gained access.
Identity-based segmentation reduces excessive implicit trust by allowing organisations to shift individual workloads to a “default deny” rather than an “implicit allow” model. It uses dynamic rules that assess workload and application identity as part of determining whether to allow network communications.
When starting an identity-based segmentation strategy, start with a small collection of most critical applications and servers for initial implementations and expand from there.
Once you’ve implemented ZTNA and identity-based segmentation, move on to other initiatives to extend a zero-trust approach throughout your technology infrastructure. Think about removing remote admin rights from end-user systems; piloting a remote browser isolation solution; encrypting all data at rest in the public cloud; or start scanning containers that your developers are creating for new apps.
Neil MacDonald is a VP analyst at Gartner. He is a member of Gartner's information security, privacy and risk research team, focusing on securing next-generation virtualised and cloud-based computing environments.