by Chris Yates | Senior Security Architect | [email protected]
Adoption of Zero Trust and Micro-Segmentation as core design principles can help improve the security posture of your network and attached systems. However, it is important to understand how we got to our current state in order to understand how these principles can help us.
Let’s do a quick review of current network security architecture. Many organizations have adopted some variation of a zone based model for network security. The most prevalent model is comprised of some combination of four security zones: Untrusted/Internet, DMZ, Trusted/Internal, and Restricted (PCI/etc.). The basic principle is to separate resources into the appropriate zone, and only allow traffic to traverse the zone boundaries through one or multiple security controls, including a firewall. Unfortunately, although there has been fairly wide adoption of the Internet/DMZ/Internal model, the majority of organizations have not implemented internal segmentation despite best practices and many compliance frameworks prescribe it.
The supporting technical infrastructure underlying the security architectural model is often partly to blame for the lack of internal segmentation. The most prevalent network architectural model is hierarchical, which restricts the placement of network security controls to layer 3 subnet boundaries. Combined with the fact that most existing security controls are hardware based, it is no surprise that little progress has been made in this space. Further contributing to this problem is the historical use of the operational model in many organizations that separates the network personnel from the network security personnel.
The resulting lack of adoption of internal segmentation controls and visibility tools provides a means by which the compromise of any given internal resource can be utilized to pivot and attack other internal resources with little limitation of mobility or access. Limited visibility also results from this legacy approach, which allows attackers considerable time before an attack is noticed and action can be taken. Reliance on host based security controls is usually the methodology employed to mitigate some of this risk.
However, there now exist capabilities to virtualize compute, storage, and network resources. Organizations are virtualizing their infrastructures into private, public, and hybrid cloud architectures. Those same organizations are also changing their operational model to support converged infrastructure teams. How can security teams become a part of this effort, helping to virtualize and distribute the security controls as well?
Zero trust provides one component of the architectural framework that can be inserted into the broader guiding principles for technical architecture, and micro-segmentation provides another.
Zero trust is based on three main principles:
- All resources are accessed in a secure manner regardless of location
- Access control is on a “need to know” basis and is strictly enforced
- Inspect and log all traffic – from any source to any destination
(Yes – this is a TALL order!)
As you may recall, segmentation has been a part of the ongoing maturity of network architectures. We moved from shared hubs, to switches, as technology matured and started to utilize network virtualization. We shrunk the collision domain to two participants (the switch and the end node), and provided a huge jump in capabilities and performance. Micro-segmentation for security purposes does much the same thing – it separates the security visibility and control domain into two participants – the end node and the security control. To actually accomplish this, the security controls must be distributed, and must have enough performance to not inhibit the performance of the system as a whole, while still achieving the security objective.
The broad adoption of virtualization and Infrastructure as a Service (IaaS) such as Amazon Web Services, Azure, and vCloud air, among others, is providing a capable platform to integrate Zero Trust and micro-segmentation into technical architectures and design principles. We can now truly have a distributed firewall that can control traffic and provide rich visibility at the host level. Vendors are also evolving their distributed firewall controls to facilitate a cohesive microsegmentation design in private, public, and hybrid cloud architectures.
The challenge now, is no longer designing a network such that contains security controls into the right places. The challenge now is twofold:
- Security teams must insist on a place at the architecture and engineering tables. Security controls must become a part of the converged infrastructure, and security teams need to become a part of the larger converged infrastructure teams.
- Application discovery will now be the focus of implementation effort. Network, systems, storage, and security personnel will have to work together to figure out how to get applications to work with security controls in place. This effort has been avoided in many instances because the problem previously described prohibited firewall use in core of a network architecture, but this is no longer the case.
For organizations able to move past these two challenges, security teams can begin integrating tighter controls into a converging architecture.
- Building Security Into Your Network’s DNA: The Zero Trust Network Architecture, Forrester Research, November 11, 2010
- No More Chewy Centers: Introducing the Zero Trust Model of Information Security, Forrester Research, September 14, 2010
- Micro-segmentation For Dummies, Lawrence Miller, Joshua Soto, 2015