How zero trust unifies network virtualization

Most organizations run their enterprise data network as though it comprises three separate and largely independent networks.

The campus network includes the LANs to which most end-user and IoT devices are attached. The WAN connects campus networks to each other, to data centers and to clouds. And the data center network connects server applications to data on networked storage, to users, and to other applications and services located elsewhere.

Each of these network segments uses network virtualization to ease traffic management and security. Those virtualization efforts are also conceived and managed separately.

As demands rise for more seamless automation, nimble network services and tighter security, the time has come for network teams to move past this legacy mindset of siloed networks. Zero trust is unifying overall enterprise cybersecurity; it can unify virtual networking as well.

Virtual networks are the key to zero trust

In an ideal world, every network in a zero-trust environment is dedicated to just the endpoints that must communicate and the ports and protocols they need to do so. It is secured cryptographically and uses identity-based session control. And it exists only for as long as the current conversation.

This model isn't practical, or even possible, with traditional physical networking. Virtual networks are the only way to achieve this kind of secure connectivity, as they can be spun up when needed, torn down when they're no longer needed and overlaid on shared infrastructure without compromising traffic segmentation.

Virtual networks can also be encrypted end to end and act as point-to-point dedicated VPNs for a given conversation. Endpoints can conduct simultaneous conversations on separate, ephemeral VPNs, with conversations invisible to any entity that isn't party to them.

A whole network -- not a network full of holes

In a zero-trust environment, access policies focus on which entities need to talk to which other entities. That simple fact argues for the unification of all virtualization environments at the policy level. After all, if user A on machine M is allowed to reach a service in the company data centers, then policy has to allow it at the campus level, across the WAN and into the data center. The security environment requires the same policy to be known in all segments and requires all segments to enforce policy.

This big-picture security view requires cross-domain thinking. It also creates cross-domain opportunities beyond security. In a unified virtualization environment, IT teams could implement end-to-end visibility of network communications generally and apply end-to-end optimizations as well. For example, teams could prioritize traffic as it bounces around a data center, crosses a WAN and navigates the LAN from which an end user is working. That prioritization could be based on any aspect of the session -- who the user is, what the program is, what its protocols demand, where the endpoint is and what time it is.

IT could also provide programmatic access to the network from end to end, via a network controller. This access would make it possible for development teams to tweak the settings on the channels their applications' traffic would traverse -- within a governing set of rules for safety, of course.

Challenges of unified network virtualization

What needs to talk to what?

As with every zero-trust effort and microsegmentation initiative, one of the biggest challenges in a comprehensive network virtualization implementation is figuring out which entities need to talk to which other entities.

Most organizations know only part of the picture and resort to monitoring ongoing communications over time to fill in their knowledge gaps. Some designs enable IT to set up policies that do extra monitoring and alerting on unexpected traffic before clamping down and blocking it, for example. Or IT can deploy specialized application mapping tools.

Zero trust, while shaking up and unifying overall enterprise cybersecurity around a consistent approach to security, can provide the impetus for unifying virtual networking as well.

Aging infrastructure

Another significant challenge is dealing with aging infrastructure. It is not unusual for an organization to keep seven- to 10-year-old equipment online, and it may not all be able to participate in the chosen zero-trust architecture. An intermediary can sometimes supplement such systems, but the time and trouble of implementing one are probably greater than the cost of updating the hardware.

IT will need to revamp internal processes that touch everything from network deployments to change management reviews. The changes shouldn't be enormous, but it's crucial that teams ensure none of the processes presume the three network domains are siloed off from each other.

Teams working together

Another challenge is getting all the different network teams to work together on the architecture, product selection, engineering and implementation. Making such a radical, transformative change to the status quo is difficult, as it touches everything from job descriptions and annual goals to workloads and skill sets.

Success requires persuasion, education, clear vision, incentives, consistency and firmness of purpose at the leadership level. Staff members need time to learn to think about what they do differently, learn new skills and implement the new world, all while keeping the old systems ticking over as usual.

All these challenges are tractable, especially in the context of transformative changes. Zero trust, while shaking up and unifying overall enterprise cybersecurity around a consistent approach to security, can provide the impetus for unifying virtual networking as well.