Strong, scalable security in dynamic networks
For the strongest security, organizations should seek other methods that are not environment-dependent. Abstracting the control plane away from the network reduces complexity and saves time (because policies don’t need to be altered constantly when the network does), and results in stronger, scalable security that is appropriate for today’s cloud- and container-based networking needs.
Said more succinctly, zero trust means bringing protection closer to the entities you’re trying to protect—data, servers, workloads. Taking an identity-based approach to ensure only verified, legitimate interactions that are expected are allowed to communicate provides greater control over your networking environment, whether that’s in the public cloud, in a container, on premises, or any combination of the aforementioned.
Building segmentation policies
Once you have your zero trust framework in place, it’s time to build your segmentation policies. As mentioned in the previous post, security and network teams can’t properly design policy if they don’t know what to protect. Zero trust lays the groundwork through its requirements for visibility, data mapping, continuous verification of access controls, least privilege, and adaptability. As zero trust’s purpose is to challenge traditional trust assumptions, building a segmentation plan on zero trust ensures that you will not only eliminate the insecurity of flat networks and reduce the number of network attack paths malicious actors can exploit to access your applications, but you will gain segmentation that is demonstrable for audit and testing purposes. By moving away from the typical switch-and-router firewall model of segmentation/microsegmentation to application-level segmentation, you will gain fine-grained control over your most sensitive data—the data attackers are targeting for exploit—without the complexity of network changes, new deployments, configuration changes, and the like. Since your control plane is now your applications and services, visibility, mapping, and protection remains in place even when network changes occur. From a policy perspective, the work required to build and apply app-centric segmentation policies is drastically reduced. From an enforcement point of view, you can now also close the loop on provable outcomes for the protection of sensitive data; it’s your applications and services, themselves, upon which policy is created, adjusted, tracked, and administered.
At the end of the day, organizations' cybersecurity strategies aim to protect sensitive data and
applications from a compromise that could lead to data breach. As explored in the last post, eliminating flat networks through the application of segmentation or microsegmentation is the best way to accomplish this. Fortifying your segmentation plan with a zero trust foundation ensures that only verified assets can communicate on your networks. And implementing application-centric segmentation means that:
- Security control is as close to the entities you are trying to protect as is possible
- Protection is not environment-dependent
- Policies can be applied uniformly across networking environments without any updates or architectural changes.