Can a zero-trust approach fill the security perimeter void?

jro-grafik - Fotolia


Microsegmentation security: Your key to zero trust

Zero trust is the path forward to secure corporate IT assets. Learn how to put into place a zero-trust security model with a microsegmentation strategy.

There are many tools and controls available that can help monitor internal workloads and data moving between hybrid cloud environments. But above all, enterprises need to adopt one overarching theme when designing a dynamic security architecture model: zero trust.

In order to implement a zero-trust model, security and operations teams will need to focus on two key concepts. First, security will need to be integrated into the workloads themselves, and will move with the instances and data as they migrate between internal and public cloud environments. Second, the actual behavior of the applications and services running on each system will need to be much better understood, and the relationships between systems and applications will need more intense scrutiny than ever to facilitate a highly restricted, zero-trust operations model.

Automating zero trust microsegmentation security

As hybrid cloud architectures become the new norm, many organizations are focusing heavily on automation, far beyond what we've traditionally seen in enterprise data centers. In order to automate the implementation of a granular microsegmentation security strategy, visibility into the network traffic and both the workload and application configurations will be needed. This is really the key to transforming a segmentation strategy into one that adheres to zero-trust principles.

By creating a layer of policy enforcement that travels with workloads wherever they go, organizations have a much stronger chance of protecting data regardless of where the instance runs. In some ways, this does shift security policy and access control back to the individual instances versus solely within the network itself, but hybrid cloud architecture designs don't easily accommodate traditional networking models of segmentation. Dynamic assets like virtual instances (running on virtualization infrastructure technology) and containers are difficult to position behind "fixed" network enforcement points, so organizations can adopt a zero-trust microsegmentation security strategy that only allows traffic to flow between approved systems and connections, regardless of the environment they are in. Virtual systems can employ a hypervisor backplane that all communications and behaviors are linked to, facilitating zero trust in a more scalable way. There are also physical models that accomplish this, too, using specific network switches and connectivity platforms that have policy evaluation controls built in.

Why is cloud security so difficult?

What zero-trust microsegmentation security delivers

Zero-trust microsegmentation prevents attackers from using unapproved connections to move laterally from a compromised application or system regardless of environment. Essentially, zero trust facilitates the creation of "affinity policies," where systems have relationships and approved applications and traffic, and any attempted communications are evaluated and compared against these policies to determine whether the actions should be permitted. This happens continuously, and effective zero-trust control technology will also include some sort of machine learning capabilities to perform analytics processing of attempted behaviors, adapting dynamically over time to changes in the workloads and application environments.

By potentially eliminating lateral movement, a zero-trust microsegmentation security model also reduces the post-compromise risk when an attacker has illicitly gained access to an asset within a data center or cloud environment. Cloud design and operations teams -- and often DevOps teams -- refer to this as limiting the "blast radius" of an attack, as any damage is contained to the smallest possible surface area, and attackers are prevented from using one compromised asset to access another. This works not only by controlling asset-to-asset communication, but also by evaluating the actual applications running and assessing what these applications are trying to do. For example, if an application workload -- like web services such as Nginx or Apache -- is legitimately permitted to communicate with a database server, the attacker would have to compromise the system and then perfectly emulate the web services in trying to laterally move to the database server -- even issuing traffic directly from the local binaries and services installed.

These are just a few of the benefits of a zero-trust segmentation strategy that can definitely help organizations to implement granular access control policies across their internal and cloud data centers.

This was last published in February 2019

Dig Deeper on Data security and privacy