Zero-Trust and Micro-Segmentation

Adoption of Zero-Trust and Micro-Segmentation as core design principles can help improve the security posture of your network and the attached systems. However, it is important to understand how we got to our current state in order to understand how these principles can help us.

Let’s do a quick review of the current network security architecture. Many organizations have adopted some variation of a zone-based model for network security. The most prevalent model is comprised of some combination of four security zones: Untrusted/Internet, DMZ, Trusted/Internal, and Restricted (PCI/etc.). The basic principle is to separate resources into the appropriate zone, and only allow traffic to traverse the zone boundaries through one or multiple security controls, including a firewall. Unfortunately, although there has been fairly wide adoption of the Internet/DMZ/Internal model, the majority of organizations have not implemented internal segmentation despite best practices and many compliance frameworks prescribe it.

The supporting technical infrastructure underlying the security architectural model is often partly to blame for the lack of internal segmentation. The most prevalent network architectural model is hierarchical, which restricts the placement of network security controls to layer 3 subnet boundaries. Combined with the fact that most existing security controls are hardware-based, it is no surprise that little progress has been made in this space.  Further contributing to this problem is the historical use of the operational model in many organizations that separates the network personnel from the network security personnel.

The resulting lack of adoption of internal segmentation controls and visibility tools provides a means by which the compromise of any given internal resource can be utilized to pivot and attack other internal resources with little limitation of mobility or access. Limited visibility also results from this legacy approach, which allows attackers considerable time before an attack is noticed and action can be taken. Reliance on host-based security controls is usually the methodology employed to mitigate some of this risk.

However, there now exist capabilities to virtualize compute, storage, and network resources. Organizations are virtualizing their infrastructures into private, public, and hybrid cloud architectures. Those same organizations are also changing their operational models to support converged infrastructure teams. How can security teams become a part of this effort, helping to virtualize and distribute the security controls as well?

Zero-trust provides one component of the architectural framework that can be inserted into the broader guiding principles for technical architecture, and micro-segmentation provides another.

Zero-trust is based on three main principles:

  1. All resources are accessed in a secure manner regardless of location
  2. Access control is on a “need to know” basis and is strictly enforced
  3. Inspect and log all traffic – from any source to any destination

(Yes – this is a TALL order!)

As you may recall, segmentation has been a part of the ongoing maturity of network architectures. We moved from shared hubs to switches, as technology matured and started to utilize network virtualization. We shrunk the collision domain to two participants (the switch and the end node) and provided a huge jump in capabilities and performance. Micro-segmentation for security purposes does much the same thing – it separates the security visibility and control domain into two participants – the end node and the security control. To actually accomplish this, the security controls must be distributed and must have enough performance to not inhibit the performance of the system as a whole, while still achieving the security objective.

The broad adoption of virtualization and Infrastructure as a Service (IaaS) such as Amazon Web Services, Azure, and vCloud air, among others, is providing a capable platform to integrate Zero Trust and micro-segmentation into technical architectures and design principles. We can now truly have a distributed firewall that can control traffic and provide rich visibility at the host level. Vendors are also evolving their distributed firewall controls to facilitate a cohesive micro-segmentation design in private, public, and hybrid cloud architectures.

The challenge now is no longer designing a network that contains security controls in the right places. The challenge now is twofold:

  1. Security teams must insist on a place at the architecture and engineering tables. Security controls must become a part of the converged infrastructure, and security teams need to become a part of the larger converged infrastructure teams.
  2. Application discovery will now be the focus of implementation effort. Network, systems, storage, and security personnel will have to work together to figure out how to get applications to work with security controls in place. This effort has been avoided in many instances because the problem previously described prohibited firewall use in the core of the network architecture, but this is no longer the case.

For organizations able to move past these two challenges, security teams can begin integrating tighter controls into a converging architecture.


by Chris Yates | Senior Security Architect, CRITICALSTART
May 10, 2017

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Benchmark your cybersecurity against peers with our Free Quick Start Risk Assessments tool!
This is default text for notification bar