Zero trust is not a new concept. However, the pandemic and the transformation toward a more digital society have highlighted issues that have rarely been studied in business and the public sector before.
Society has more and more connected devices (IoT), for both personal and professional use. This equipment has been designed to provide a single service, and unfortunately, security is not the device’s priority. The lack of in-built security not only makes them vulnerable to attacks but also creates a potential route into the entire organization’s network for attackers.
As companies embark on a digital transformation journey (IoT, BYOD, teleworking, etc.), it is imperative that their network infrastructure is secure. Network segmentation, one of the principles of zero trust, makes it possible to prevent attacks. As soon as a compromise on a device is reported, the potential for an attack can be reduced and lateral movements on the network can be limited, so as not to affect other connected systems.
WHAT IS ZERO TRUST?
In the field of business computing and enterprise, network segmentation currently has two approaches depending on the existing degree of trust. Historically, the boundary of trust is physical and implicit, so the computer network is protected by a firewall. The corporate network (LAN) is secure at the simplest level: What is inside is protected from the outside. However, this approach has had to evolve as the risk of threats has become greater.
In the case of zero trust, trust is dynamic and adaptable and is no longer assumed even within the network. The guiding principle is that the structure acts as if there are already attackers present in the system. The first step is network access control (NAC) - the identification of objects and the authentication of connected users. Based on these factors, a first level of macrosegmentation is set up, with the use of firewalls, to filter traffic between different classes of objects and users. For example, you could isolate surveillance cameras and building management sensors. Then, based on identification, a second level of filtering, this time within a segment, makes it possible to refine and achieve microsegmentation. In this second step, the goal is to prevent the surveillance cameras from communicating with each other within the same network segment.
As an intelligent mix between micro- and macrosegmentation, the zero-trust approach proposes to build a restricted and mobile security perimeter around each user and object. An organization can then manage network access controls, define the different authorizations (access by job role), and secure and contain threats, thanks to a strong segmentation of the network, which constantly searches for inappropriate or suspicious behavior.
The past 18 months have shown us that cyber attacks are on the rise, and the costs to the company can be vast. In addition, hackers are using increasingly sophisticated and malicious attacks. Because zero trust requires the identification and authentication of each device and user before allowing access to the network, it makes it possible to contain, or even avoid, many attacks. This is thanks to network segmentation which greatly restricts the range and spread of an attack.
Currently, the new network functionalities allow the zero-trust strategy to be implemented, which proportionately increases the level of defense against the multiplication and sophistication of cyber attacks.
HOW TO STRUCTURE A MICROSEGMENTED NETWORK IN FIVE STEPS
While it is relatively easy to build a zero-trust network from scratch (new premises, new structure, etc.), most companies already have an existing network in place. The challenge is, therefore, to harmonize approaches and develop the network to meet the needs of the organization, while securing it from attacks.
HERE IS A FIVE-POINT METHODOLOGY:
2- Validate: Control all the connected devices and invalidate those which are not justified for the activity, as they increase the possibility of attack. This is done by applying the principle of least privilege: granting the minimum permissions required to perform a task. If the existing network shows noncompliant equipment, it will be necessary to implement a restoration or remediation plan.
3- Plan: Know all the users' equipment, as well as their workflow and the traffic generated to transform this data into a security policy that intelligently combines macrosegmentation (input/output control) and microsegmentation (fine-grained security rules).
4- Simulate: Apply in parallel identification, authentication and security policy in "fail open" mode: all equipment will be authorized and network behavior logged and indexed in order to set up authorization schemes and an adapted network security policy. This critical step will refine the security policy while ensuring that normal activity is not impacted.
5- Enforce: In this final phase, the "fail open" becomes "fail close": authentication failures are no longer tolerated, all unreferenced users or devices are refused, all illegitimate flows are stopped. Network monitoring is immediate to verify that all devices are identified, users are authenticated to be authorized on the network or could possibly be quarantined while security checks take place.
To conclude, on all networks, the zero-trust approach makes it possible to identify traffic, automatically store objects in an inventory, create scheduled rules for the network, and share user and IoT profiles according to rules. It also makes it possible to determine the central IDS or switches’ DoS attacks and optionally apply quarantine for suspicious flows in a restricted and dynamic perimeter.
For companies and organizations, it is a question of ensuring all IT hardware, in addition to peripherals, is secure and employees are protected.
Zero trust is both an authentication strategy and a consistent security policy across the network infrastructure, implemented in line with the needs of users and connected technologies. The intelligent combination of macrosegmentation and microsegmentation, with the possible quarantine in case of a breach of security rules, ensures the highest degree of security for your network infrastructure. In an increasingly VUCA (volatile, uncertain, complex and ambiguous) world, the zero-trust approach is the most likely to guarantee the security of computer networks and business assets.
