Network Segmentation in a Zero-trust Environment
This is part 2 in our series on Zero-trust Security. For part 1 and a high-level overview of zero trust, check out What is Zero-Trust Security. Based on a survey of security decision-makers earlier this year, Microsoft reported that 96% ranked zero trust as critical to their organization’s success. With zero-trust strategies being adopted at such a rapid pace, it’s important to understand the technologies beyond just authentication that make up a zero-trust environment. Obviously, authentication is foremost because you must first confirm a user’s identity in any security policy. And you have to be able to really trust identity verification when it happens. Technologies such as MFA gain most of the attention around authentication since they dramatically affect the user experience. But beyond authentication, a zero-trust environment will also employ resource and network segmentation.
As an architectural approach, network segmentation isn’t new. Dividing a network into multiple segments or subnets, each acting as its own small network, has been around since the origins of TCP/IP. Traditionally, segmentation has allowed network administrators to control the flow of traffic based on policies. The segmenting allowed for better network monitoring, performance improvements, and isolating technical issues. In a zero-trust environment, network segmentation through gateways and firewalls also improves security. Many businesses have a well-defined network structure that includes a secure internal network zone and an external untrusted network zone. In a zero-trust environment, all network zones become untrusted. And through segmentation, network administrators can create microperimeters around the most important data, applications, assets, and systems. This second line of defense, beyond authentication, removes an attacker’s ability to move laterally through a network.
Networks can be segmented both physically and logically. Physical segmentation is breaking down a network into smaller subnets separated by firewall gateways. In physical segmentation, the subnets are physically divided in their architecture. A very similar result can be accomplished through addressing schemes and virtual local area networks (VLANs). This logical segmentation can be layered on top of an existing network and as a result can be more flexible to structural changes. Firewalls today, such as those from WatchGuard, can be configured with multiple physical and logical addresses. Once a network is segmented, traffic can be limited through rules based on people, trust level, department, access control lists, and other qualifiers.
Initial data that can often be easily defined for segmentation can include credit card information (PCI), protected health information (PHI), personally identifiable information (PII), customer data, financial records, employee information, proprietary collateral such as blueprints, and patents. Then segmentation can also be extended to network equipment like servers, switches, routers. IoT devices, and point of sale terminals (POS). The segmentation process starts with identifying what data and systems each individual user role needs in order to complete their duties. Then defining policies so users can only access those specific areas of the network. When segments are implemented with next-generation firewalls, policy rules can even include packet payload analysis so that only the right types of traffic are allowed into a segment. In essence, network segmentation in a zero-trust environment will define: who should be accessing a resource, what application is being used to access a resource inside the protect surface, when is the resource being accessed, where is the packet destination, why is this packet trying to access this resource within the protect surface, how is the packet accessing the protect surface via a specific application. This is how segmentation in a zero-trust environment can be far more secure than relying on authentication alone.
With the right help, you can begin the transition to zero-trust security and ensure your resources are protected. Contact us to get started and we’ll walk you through the process.