Improving network security with micro-segmentation and zero trust

To improve security and reduce the risks of business disruption, many IT teams have been using a strategy of network micro-segmentation. This is a method whereby components within an IT infrastructure can only communicate if their identities can be confirmed.

Micro-segmentation originated as a way to moderate traffic between servers operating in the same network segment. It has since evolved to include intra-segment traffic, as long as the identity of the requesting resource matches the permission configured for that resource.

Policies and permissions required for micro-segmentation can be based on resource identity, making it independent from the underlying infrastructure. This makes it different from network segmentation which relies on network IP addresses.

Therefore, micro-segmentation is an ideal method for creating intelligent groupings of workloads based on the characteristics of the individual workloads communicating inside a data centre.

The role of zero trust

A successful rollout of micro-segmentation should be undertaken in conjunction with a zero-trust strategy. This strategy has become a well-known methodology for protecting an organisation’s data, applications, networks, users and devices.

While there are different schools of thought around where to start with zero trust, most industry experts agree that the foundation should rely on accurate and up-to-date asset inventory and mapping and a clear understanding of data flows.

Visibility and mapping should leverage continuous automation so that changes to the environment are captured immediately. Once the IT team understands what’s communicating on the network, how assets are communicating and the dependencies between them, it’s time to look at systems, infrastructure and environment.

VIEW ALL

Zero trust is based on least-privileged access and the principle that no user or application should be inherently trusted. It begins with the assumption that everything is hostile, and only establishes trust based on authentication and context.

A holistic zero trust security model also begins with validating user identity combined with business-policy enforcement based on contextual data from user, device, app and content to deliver authorised direct access to applications and resources. It is guided by three key tenets: connect users and applications to resources to prevent lateral movement of threats; make applications invisible to reduce the attack surface; and use a proxy-based architecture, not a pass-through firewall, for content inspection and security.

Finally, zero trust also requires that policies are adaptive but also reliable in dynamic environments. The requirement is to control communications between what’s allowed on the network, but there’s a need to use something more robust than addresses, ports and protocols. Address-based information changes in clouds and containers constantly resulting in more work when mapping communications and enforcing policies.

Improved security in a dynamic network

To achieve the best possible levels of IT security, organisations need to seek out methods that are not environment dependent. For example, abstracting the control plane away from the network reduces complexity, saves time and results in stronger, scalable security appropriate for today’s cloud- and container-based networking needs.

Zero trust means bringing protection closer to the entities that need to be protected, such as data, servers, workloads. Taking an identity-based approach to ensure only verified, legitimate interactions that are expected are allowed to communicate provides greater control over the environment, whether that’s in the public cloud, in a container, or on premises.

Creating segmentation policies

Once a zero-trust architecture is in place, it’s time for the IT team to create segmentation policies. Building a segmentation plan on zero trust ensures that the insecurity of flat networks can be eliminated. It also means the number of potential network attack paths malicious actors can exploit will be reduced.

By shifting away from the typical switch-and-router firewall model of segmentation to application-level micro-segmentation, security teams will gain fine-grained control over their organisation’s most sensitive data. This will also be achieved without the complexity of network changes, new deployments or configuration changes.

The bottom line is that zero trust in conjunction with micro-segmentation can provide effective and robust security in constantly changing networks. With the adoption of cloud resources and the creation of hybrid infrastructures showing no sign of slowing, having this capability is more critical than ever before.

Steve Singer is the regional vice-president and ANZ country manager at Zscaler.