Zero-trust security means new thinking plus practical steps
Implementing a security policy that, essentially, trusts no one and nothing doesn't have to be overwhelming if you understand the basics behind the security model.
By now, you've probably heard about zero-trust security, but you may be unsure how to implement it. Part of the problem is the name. Zero-trust sounds good, but putting the concept of never trust anything ever into practice is literally impossible. If users never trust any system, user, device, application or process, the enterprise would be unable to function.
A more accurate -- if clunkier -- name would be highly granular and distributed trust. That is, the concept behind zero trust is actually highly granular control of distributed trust. A session of type X between devices Y and Z may be permitted, but not all sessions of type X or all sessions of any type between devices Y and Z should be trusted.
Those twin concepts -- highly granular and distributed trust -- form the twin lynchpins of zero-trust security. Zero trust relies on -- and demands -- a deep knowledge of systems and data so IT can put meaningful boundaries around systems, processes, applications and users everywhere.
Zero-trust security, therefore, requires IT to radically rethink networks, including the roles -- and even the existence -- of conventional and separate routers, firewalls, distributed denial-of-service defenses, network segmentation products, and all the other familiar network elements. Security functions, which are increasingly virtualized and modularized as virtual appliances and virtualized network functions, can be implemented throughout the infrastructure as needed.
Zero trust also places security automation at the heart of security operations and brings with it all the benefits of automation: reliability, agility and scalability.
Zero-trust practicalities
How should cybersecurity practitioners take all these concepts -- using highly granular and distributed trust, rethinking network design, implementing automation -- and turn them into practical steps?
The first place to start is virtualization. Computing and application virtualization are relatively mature. Most organizations have moved toward virtualized servers, and many have implemented a microservices- and container-based software development paradigm. So implementing zero trust at the computing and application layer starts with trying to provide granular, distributed security to these virtual machines (VMs), microservices and containers.
Tools from vendors such as Aqua Security, Capsule8, Layered Insight, NeuVector, StackRox, Tenable and Twistlock can provide container-based security. Tools like JSON Web Tokens can assist with microservices security.
Even though zero-trust security isn't what its name implies, it will ultimately change everything.
Networking infrastructure, however, is significantly less mature. Many organizations still construct networks via a portfolio of physical devices -- switches, routers, firewalls, load balancers, gateways, etc.
A critical step when implementing zero-trust security within a network infrastructure is the move to virtualization. Implementing software-defined networking in the data center and SD-WAN in the WAN provides the necessary platform to instantiate network and network security functions as VMs rather than physical devices. A firewall, for instance, might become a firewall VM in a branch-in-a-box SD-WAN device. This, in turn, enables automated and granular control of the functionality.
Getting to zero
Traditional security and networking vendors like Cisco, Checkpoint, Juniper Networks, Fortinet and Palo Alto Networks and emerging providers like 128 Technology are offering these types of virtualized products that provide granular control over individual sessions, along with dynamic reconfiguration of permissions. It's worth revisiting both the traditional and emerging players to assess their degree of virtualization.
It's also important to think about centralized policy when choosing a tool. Some vendors are beginning to make a play toward becoming the network policy engine, providing hooks into a range of partner technologies that can implement the centralized policy. Regardless of which vendor you wish to anoint as the policy engine, it's critical to think in terms of having a centralized policy repository from which you can make changes that ripple out to the entire infrastructure.
The bottom line? Even though zero-trust security isn't what its name implies, it will ultimately change everything. And, when implementing it, network infrastructure is the weakest link, so pay special attention to virtualizing and securing your network infrastructure.
