The traditional network security model made it difficult to access the network from the outside, but everyone on the inside of the network was generally considered a trusted user by default. That means a hacker, once inside the network, would essentially have unfettered access to network systems, data and other assets.
Today, most organizations have data in multiple cloud environments as well as their on-premises data center. The network perimeter has all but disappeared as users access IT resources from virtually anywhere on any device. Recognizing that the traditional security model could no longer protect the extended enterprise, Forrester Research introduced the zero-trust model in 2010. Zero trust means exactly what the name implies – trust no one. Assume everyone and everything is a threat. Deny by default.
The zero-trust model states that the identity of every user and device attempting to access network resources must be verified, whether inside or outside the network perimeter. Use multifactor authentication to prevent network access with stolen passwords. Strictly enforce access controls. Learn who users are, what devices and applications they use, and how they connect to the network so that unusual behavior can be detected.
Assume all traffic is malicious. Maintain visibility at the application and user levels. Continuously monitor, inspect, log and analyze all internal and external traffic to create context that informs decisions about whether to allow or block traffic.
Zero trust also requires adoption of a least privilege access approach. The principle of least privilege means users should be authorized to access only those resources and perform only those functions required to do their jobs. Access to applications, systems, data and processes should be based on least privilege to minimize exposure of sensitive areas of the network.
A common problem is that too many users are granted excess privileges for the sake of convenience, which creates enormous risk for the organization if credentials are compromised. In a zero-trust environment, only a handful of administrators have domain-level privileges and those credentials are strictly controlled and secured. Zero trust also requires organizations to be vigilant about keeping roles, permissions and related policies current.
A core component of zero trust and least privilege is micro-segmentation. Micro-segmentation allows you to create multiple security zones, establish granular security and access control policies, and isolate specific workloads. This reduces the attack surface and helps prevent hackers or malicious insiders from moving laterally across the network to access sensitive systems and data.
Given the dynamic nature of the network, a software-defined approach to segmentation is critical. Software-defined segmentation allows you to update and enforce policies without manual hardware reconfigurations — segments are separate dynamically created, centrally managed and automatically applied across the network.. Users are assigned to policy groups so they can be more easily identified and granted the appropriate permissions. Software-defined segmentation also simplifies compliance by using granular policies to control access to regulated systems and data.
There is no single technology that, on its own, is capable of supporting the zero-trust security model. Think of zero trust as an approach to security that combines specific principles and tools in a way that prevents unauthorized network access and detects threats as early as possible. Let us show you how zero trust with software-defined segmentation simplifies security management and minimizes risk.
April 23, 2019