As things stand, there is no one single security solution that is able to detect and counter each and every threat. But what if you consider an entirely different way to approach security, one that prevents threats from exploiting a vulnerability? We are talking about controlling system access here. If you consider that threats and vulnerabilities are basically infinite, then you can think of system access as being finite, measurable and provable. If you can control system access, then you have much more robust control over security. And this neatly introduces the concept of Zero Trust - the notion that restricting the access that threats have to your systems, involves implementing a Zero Trust environment.
So how did we get here? Well let’s start with firewalls which first cropped up in the late 1980s to protect networks from external threats. But these traditional firewalls were only designed to segment the network into a few defined zones - the outside network where nothing is trusted, the inside network where everything is trusted and perhaps one or more demilitarized zones for systems needing to communicate with the outside world and requiring a different set of rules to manage what traffic is allowed. These perimeter firewalls are like the walls of a castle but once an intruder is inside, they can run rampant and cause much destruction. More than 80 percent of network traffic in a data center is between internal systems – what is called “East-West” traffic. This traffic generally does not get inspected by a firewall and poses a significant risk if an attacker gets through or bypasses perimeter security. There is nothing to stop lateral movement from a compromised system or device to others. In today’s world where sensitive data and resources are spread across data centers, branches, clouds and mobile devices, perimeter security is not enough. But the world doesn’t live behind a campus firewall anymore and the security perimeter of years gone by no longer makes the grade - there is no clearly defined perimeter anymore.
And what has been the driving force behind the adoption of Zero Trust? The business world operates in an increasingly digital landscape. One could argue that this digital adoption has rapidly picked up pace due to Covid - that is to say, businesses are connecting massive numbers of devices and applications and also sharing information across the Internet in an unprecedented fashion. Most research points to many billions of connected devices existing in the next year or so. It’s no secret that much of the information being shared by such devices is often critical to businesses. And faced with the rising numbers of digital certificates and keys protecting connections, along with the complexity of managing all of this, there is an associated increase in the risk of security breaches and systems blackouts.
The concept of Zero Trust security was first proposed in 2010 by Forrester Research and is an architecture whereby no system or user is trusted (whether inside or outside the corporate network) without being positively identified and authorized. To achieve true Zero Trust for traffic between all corporate systems, the use of traditional firewalls is not feasible as they are only designed to deal with a limited number of security zones or segments. The concept of “micro-segmentation” is necessary and this can ultimately deliver visibility and control of network activity from, and to, every device. Micro-segmentation involves creating controlled segments of isolated workloads within a data center or cloud deployment which enables the network to become more granular. And by making network security more granular, you make it far more effective. Also, micro-segmentation provides a massive cost / benefit insofar as it enables security teams to deploy custom security policies inside a data center using network virtualization technology, rather than having to install multiple physical firewalls. That said, the use of network virtualization is not always necessary in every case.
There are different approaches to achieving micro-segmentation with some being more effective than others depending on the environment:
Network based - Network-based micro-segmentation is implemented using network devices as enforcement points. It relies on subnets, VLANs, or some other tagging technology to create segments. Essentially it relies on controlling network devices such as switches and firewalls to carve the network up into many segments. From there, policies are configured and enforced using IP constructs or ACLs. It is less granular then the other options but can be complimentary when needing to protect devices which cannot be virtualized or have an agent installed such as IoT devices, medical devices or industrial control equipment.
Hypervisor based - achieves similar results but only for virtualized on-premise workloads. Under these conditions, all the workload traffic has to go through the hypervisor and network isolation and micro-segmentation can be done in the hypervisor itself. This approach leverages the functionality of the hypervisor’s virtual network components to provide visibility and micro-segment the workloads. It does not require an agent to be installed on each Virtual Machine (VM) and functionality typically depends on the hypervisor in use.
Agent based - as the name suggests, uses an agent on each host or virtual machine to give very fine-grained visibility and control. In effect, every host on the network or in the cloud can be inside its own protected bubble with its own firewall rules appropriate to its role within the infrastructure. This approach is generally the easiest to deploy and manage and is hardware independent being fully software-defined.
Whilst micro-segmentation is the foundation for achieving Zero Trust, it does also involve other technologies - strong identity management and authentication and a change in processes within the organization. But ultimately, Zero Trust is the way forward for security in this modern multi-cloud, multi-device and highly dynamic modern IT infrastructure.
Francis O'Haire, Group Technology Director, Data Solutions