SDP vs. VPN vs. zero-trust networks: What's the difference? How to implement zero-trust security with real-life examples

How to build a zero-trust network in these 4 steps

While network teams are largely responsible for deploying the elements of a zero-trust network, security teams should also be involved in developing the overall zero-trust framework.

Zero-trust frameworks comprise multiple security elements, and one of those elements is the network. It is responsible for creating the physical and logical perimeter that separates the trusted infrastructure from untrusted devices and end users.

Network connectivity includes the LAN, wireless LAN, WAN and all remote access connectivity. The proper procedures, controls and technology must be put in place within each of these network segments to safely manage application and data access.

Let's look at a few ways network and security teams can accomplish zero trust within an enterprise network.

1. Identify users and devices

The first step in building a zero-trust network is to identify who is attempting to connect to the network. Most organizations use one or more types of identity and access management tools to accomplish this goal. Users or autonomous devices must prove who or what they are, using authentication methods such as a password or multifactor authentication. For end users, it's important that this process be simple, seamless and uniform, no matter where, when and how they are connecting.

2. Set up access controls and microsegmentation

Once a zero-trust framework successfully identifies a user or device, it must have controls in place to grant application, file and service access to only what is absolutely required. Depending on the technology used, access control can be completely based on user identity, or it can incorporate some form of network segmentation in addition to user and device identification. This is known as microsegmentation, which is used to create highly granular and secure subsets within a network where the user or device can connect and access only the resources and services it needs.

Microsegmentation is great from a security perspective because it significantly reduces negative effects on an infrastructure if a compromise occurs. Next-generation firewalls are the most common technology used to create and control microsegmentations within a corporate network. These firewalls offer network visibility all the way to the application layer of the OSI model, or Layer 7. Thus, teams can build and manage logical access policy around each application that runs over the network.

build a zero-trust network
Learn the steps you should take to build a zero-trust network and which tools you can use to accomplish them.

3. Deploy continuous network monitoring

Proper monitoring of device behavior is another aspect of a zero-trust network. Once access is granted, teams should deploy tools that continuously monitor a device's behavior on the network. Knowing who or what the user or device is talking to and at what frequency can help determine whether things are operating normally -- or if some sort of malicious behavior is occurring. Modern tools, such as network detection and response or AI for IT operations platforms, can assist with network monitoring using AI, machine learning and data analysis.

4. Consider remote access

Remote access is an increasingly important part of any corporate network infrastructure. Legacy remote access VPN connectivity has proven cumbersome and inefficient in an era of hybrid cloud computing. Additionally, VPN access controls enabled far too much network access than what enterprises needed, turning remote access into a major security risk over the years.

To remedy this problem, suppliers have released new remote access methods and services to bring remote connectivity back in line with a zero-trust methodology. The benefits of these remote access methods include the following:

  • improved authentication;
  • the ability to microsegment all remote access users;
  • increased visibility, monitoring and logging; and
  • the ability to centrally control all access, both on premises and in the cloud.
Security teams should develop and maintain the overall zero-trust architecture. That said, network teams should deploy and manage certain parts of the framework.

While enterprises still require remote access VPNs for secure connectivity, VPNs are drastically changing to meet the changing needs of an organization.

Who should manage a zero-trust network?

When enterprise IT organizations begin looking at how to build zero trust within their infrastructure, the first question they often ask is: Who should manage the zero-trust network components? This isn't an easy question to answer because much of the answer has to do with how the IT department is structured -- and who is more capable of handling certain tasks.

Security teams should develop and maintain the overall zero-trust architecture. That said, network teams should deploy and manage certain parts of the framework, such as network tools and services. The reason for this is the network team likely has more experience configuring and managing the network tools that make up the zero-trust network, including network switches, routers, firewalls, remote access VPN and network monitoring tools. While these roles and tasks may fall into the hands of the network team, it's important that the security team perform regular audits to ensure the network properly adheres to all processes that make up the entire zero-trust framework.

Next Steps

Security Think Tank: Facing the challenge of zero trust

This was last published in May 2020

Dig Deeper on Network security