As workloads, applications, and data move to the cloud and business operations expand to include branch offices, remote data centers, and work-from-home staff, how do you define your network security perimeter? With zero trust networks, you don’t have to.
Zero trust security doesn’t follow the old “castle and moat” strategy of assuming everything on an internal network is safe and creating one large security perimeter (or moat) to protect it. Instead, zero trust security follows the principle of “never trust, always verify.” Any user, device, or application that requests access to a sensitive network resource needs to verify its identity and prove its trustworthiness, whether they’re 3,000 miles away or in a cubicle down the hall.
To implement zero trust security, shrink your focus from one large network perimeter to the individual systems and services that need protection. And to do that, you need network micro-segmentation. Let’s discuss micro-segmentation for zero trust networks, how it works, and its importance.
What is micro-segmentation for zero trust networks?
Traditional network security perimeters need to encompass the entire enterprise and edge network to protect all data, accounts, devices, and applications. Not only do you need to extend the perimeter to include cloud and remote resources, but you also need security controls at that perimeter to account for every single vulnerability. You may end up with a bloated, expensive patchwork of appliances and services that are a hassle to manage across platforms. Even worse, the difficulty of managing such a large perimeter could leave gaps in security coverage.
Instead, a zero trust network focuses on breaking down the perimeter into a series of smaller micro-perimeters around the necessary resources needing protection. You use micro-segmentation to logically separate network data, applications, assets, and services so that you can then implement the specific security policies and controls needed to secure each of those segments. To ensure maximum protection without impacting productivity, you can address specific security vulnerabilities, access needs, and interdependencies of each micro-segment.
The importance of micro-segmentation for zero trust networks
You can’t implement a zero trust network without micro-segmentation for the following reasons:
1. Granular access policies.
When micro-segmenting a network, you can create exact policies dictating who and what can access each segment. This means you can apply for the least privilege access, granting users and devices access to only the bare minimum network resources they need to accomplish their tasks. Using the principle of least privilege helps you control lateral movement within a network in the event of a breach.
For example, during a recent attack on Microsoft Exchange servers, hackers gained access to compromised email accounts. If one of those compromised accounts had unrestricted network access, it could have been used to cripple an enterprise network. However, if that compromised account only had the least-privileged access, the hacker would be limited to the specific applications and files that particular user had rights to access, and couldn’t jump to more critical systems and servers.
2. Targeted security controls.
A micro-perimeter of security controls protects each zero trust network micro-segment. This means you can develop each micro-perimeter to specifically target the security risks and vulnerabilities of the resources in that micro-segment. Protecting a file server in a local office requires different tools and policies than you would use to protect an enterprise application hosted in a public cloud.
For on-premises systems, you’re responsible for physical security (e.g., biometric locks on doors, CCTV security cameras in the data center, etc.) as well as network and endpoint security, for example. In a public cloud, you share some responsibility with your provider. Still, you also have to worry about securing API connections, extending identity management to your edge, and other cloud-specific concerns. Zero trust micro-segmentation ensures you can always apply the proper security controls for the job.
3. Establishing identities and trust.
To follow the principle of “never trust, always verify,” you need to establish the identity and trustworthiness of an account or device before it can access any network or cloud resources. This is much easier to do if a network is micro-segmented because you can incorporate zero trust identity and access management (IAM) into the micro-perimeters. You get greater visibility and control over how trust is established for individual applications and data, which means you can ensure your security policies are applied correctly.
For example, just because an entry-level employee has access rights to a cloud-based accounting app doesn’t mean they should have the same access to the on-premises financial database. However, an SQL service account might require the same level of access to both. When you microsegment your network and implement IAM controls at each micro-perimeter, you can ensure that your granular security policies prevent unnecessary and unauthorized access while allowing critical services and accounts to access the resources they need.
In short, micro-segmentation is the foundation upon which to build a zero trust network. Dividing an enterprise and edge network into micro-segments allows you to implement specific security policies and controls, verify identities, and establish trust for the individual resources you’re trying to protect.
How to implement micro-segmentation
Now that you understand why micro-segmentation is essential, you’re ready to apply it to your enterprise zero trust network. Depending on your security requirements, business goals, and existing infrastructure, you can use various strategies and tools to micro-segment a network. Here are a few best practices to keep in mind:
- Start by mapping existing network traffic flows and interdependencies. You don’t want to accidentally create a micro-perimeter that isolates an enterprise application from a critical data source, for example.
- Identify every “protect surface” or network resource that needs to be defended and then use your traffic flow and interdependency map to inform how you micro-segment the network around each protect surface.
- Consider using a vendor-neutral zero trust framework that integrates your IAM solution, next-generation firewall, and other zero trust network technologies to simplify network management.
You can’t implement a zero trust security strategy without network micro-segmentation. Micro-segmentation allows you to establish specific security policies and controls. It also makes it easier to verify the identity of the users, devices, applications, and other entities on your enterprise network.
Nodegrid’s open platform simplifies micro-segmentation for zero trust networks
To implement micro-segmentation for zero trust networks, you should look for a zero trust framework that integrates all your security controls and technologies to provide one simplified management interface. For example, ZPE Systems has partnered with providers like Okta and Palo Alto Networks to deliver the Nodegrid Zero Trust Security Framework Foundation.
Nodegrid allows you to consolidate all your zero trust network management into one unified control panel. You can also use the Nodegrid solution to manage your remote and branch infrastructure with out-of-band network management and software-defined wide area network (SD-WAN) technology.