NEW VIDEO: COVID-19: Securing newly remote users and admins (Paul's Security Weekly). WATCH NOW!

Rightsizing Your Zero Trust Segmentation Plan

In a previous post on right-sized segmentation testing, we discussed why segmentation is necessary to prevent data and application compromise and how penetration testing your network environments is impacted by the presence (or lack) of segmentation testing. In this post we’ll explore how zero trust changes the segmentation strategy, and recommend the best way to right-size your implementation of zero trust segmentation without the hassles of traditional/historical/familiar network segmentation, which has plagued the industry for years.

Zero trust has become a well-known methodology for protecting organizations’ data, applications, networks, users, and devices. Though there is little industry consensus on where to start with zero trust (the device? The user? The network? Applications?), most experts agree that the foundation of any zero trust project or program relies on accurate and up-to-date asset inventory, mapping, and understanding of data flows. Visibility and mapping should leverage continuous automation so that changes to the environment are captured immediately. Once you gain an understanding of what’s communicating on the network, how assets are communicating, and dependencies between them, it’s time to look at systems, infrastructure, and the environment around them. The key question is: what levels of controls are currently in use to enforce the protection of data and/or limit data loss?

Zero trust means that controls are configured to verify authentication and authorization attempts continuously. The best case is to require verification before any communication request is sent and prior to every receipt. Verification in a zero trust environment must be based on identity. In Edgewise’s terms, “identity” refers to a collection of cryptographic, immutable attributes of software and services. “Software identity,” then, is akin to user identity, but is more hardened to exploit because an attacker can easily change a username or password or spoof an IP address and geographic location. Changing a collection of information on a fuzzy hash, executable signings, PE headers, BIOS UUID, CPU serial numbers, and the like is a lot more work than most attackers want to do—namely because most organizations’ networks don’t have this level of application-aware control and are more easily exploited in other ways.

In addition, a zero trust network runs on the principle of least privilege. This reduces the number of entities that can access sensitive data and helps hone security’s focus to a more manageable set of attack paths and potentially exploitable software and services.

Lastly, zero trust requires that policies are adaptive yet reliable in dynamic environments. The requirement is to control communications between what’s allowed on the network, but the need is to use something stronger than addresses, ports, and protocols. Address-based information changes in clouds and containers constantly and therefore results in more work when trying to map communications and enforce policies. Instability and ephemerality also means an address-based security control plane is less dependable—it’s chasing after a moving target.

Edgewise will be at AWS re:Inforce, June 25-26, 2019 in Boston. We hope to see  you there! <>

Strong, scalable security in dynamic networks

For the strongest security, organizations should seek other methods that are not environment-dependent. Abstracting the control plane away from the network reduces complexity and saves time (because policies don’t need to be altered constantly when the network does), and results in stronger, scalable security that is appropriate for today’s cloud- and container-based networking needs.

Said more succinctly, zero trust means bringing protection closer to the entities you’re trying to protect—data, servers, workloads. Taking an identity-based approach to ensure only verified, legitimate interactions that are expected are allowed to communicate provides greater control over your networking environment, whether that’s in the public cloud, in a container, on premises, or any combination of the aforementioned.

Building segmentation policies

Once you have your zero trust framework in place, it’s time to build your segmentation policies. As mentioned in the previous post, security and network teams can’t properly design policy if they don’t know what to protect. Zero trust lays the groundwork through its requirements for visibility, data mapping, continuous verification of access controls, least privilege, and adaptability. As zero trust’s purpose is to challenge traditional trust assumptions, building a segmentation plan on zero trust ensures that you will not only eliminate the insecurity of flat networks and reduce the number of network attack paths malicious actors can exploit to access your applications, but you will gain segmentation that is demonstrable for audit and testing purposes. By moving away from the typical switch-and-router firewall model of segmentation/microsegmentation to application-level segmentation, you will gain fine-grained control over your most sensitive data—the data attackers are targeting for exploit—without the complexity of network changes, new deployments, configuration changes, and the like. Since your control plane is now your applications and services, visibility, mapping, and protection remains in place even when network changes occur. From a policy perspective, the work required to build and apply app-centric segmentation policies is drastically reduced. From an enforcement point of view, you can now also close the loop on provable outcomes for the protection of sensitive data; it’s your applications and services, themselves, upon which policy is created, adjusted, tracked, and administered.

In conclusion

At the end of the day, organizations' cybersecurity strategies aim to protect sensitive data and

applications from a compromise that could lead to data breach. As explored in the last post, eliminating flat networks through the application of segmentation or microsegmentation is the best way to accomplish this. Fortifying your segmentation plan with a zero trust foundation ensures that only verified assets can communicate on your networks. And implementing application-centric segmentation means that:

  • Security control is as close to the entities you are trying to protect as is possible
  • Protection is not environment-dependent
  • Policies can be applied uniformly across networking environments without any updates or architectural changes.
Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.