The networks of today are, for the most part, still the networks of the past. The foundation they were built on has changed very little in the last decade. They were hardware-centric when designed, and that carried over to the perimeter-based approach used to secure them. Routers were designed to facilitate “any-to-any” communication, while access control lists (ACLs) were put in place to specify access rights. Firewalls were deployed at network boundaries to stop all traffic, unless access was predetermined by a set of security rules.
With the perimeter being redefined every day and companies’ data and critical information being accessed on new endpoints regularly, it is now impossible to truly say for sure what is secure and what isn’t. Attack vectors change constantly, and reactivity doesn’t work when it comes to modern network security. Assuming that everything inside the network can be trusted allows threat actors and those misusing privileged credentials to move inside the network with ease, stealing data or planting malicious code as they go. An organization must proactively prevent threats from gaining access by treating all traffic as potentially dangerous.
That is the core belief behind a zero trust approach to network security - trust no traffic unless it has explicitly proved itself to be safe.
Smaller is Safer
Users want unbridled access to any network at any time. They want to mix personal and business network usage, bring their own devices and use devices in insecure areas. Application owners are opting for SaaS solutions, and they are frequently moving applications from on premise locations to public clouds.
The larger the network gets, the harder it is to stop an attack from spreading. Traditional techniques to break networks into smaller pieces - and thereby make them easier to secure - include using air gaps, VLANs and perimeter firewalls. However, the mobility of today’s users and servers make it nearly impossible to fully segment a network using static physical means.
Ideally, one could isolate users and servers into virtual networks that could be used solely for one communication session. This would prevent any infiltration or exploit, as the user would be the only one accessing the service. In order to do this successfully, networks need to understand client-server communications and what traffic is actually traversing it at any given time. If the networking equipment understands sessions, then it can provide a zero trust level of segmentation that protects both the user and the server.
Zero trust networking dynamically builds a virtual network container for each client server session. Sessions have directionality (from client to server) and are insulated from all other network traffic and events. By using controls to protect critical data, applications and services, security teams can make sure that only known, allowed traffic and applications have access to the assets being protected. Each session becomes a secure vector that tightly controls access to the destination or service.
While this approach doesn’t protect organizations from every possible attack, it can:
Reduce the risk of advanced threats and breaches by preventing unauthorized lateral movement and access.
Accelerate threat detection and response.
Reduce gaps in visibility.
Support compliance requirements such as HIPAA, PCI-DSS, FISMA and others.
There’s a myth out there, stating that zero trust is only possible by starting fresh with new equipment and systems. While some companies are indeed in a place where they could do this, most simply do not have the time, money or manpower to accomplish such a task.
The truth is that a rip-and-replace approach isn’t needed to achieve zero trust. Companies can instead take it step-by-step, getting closer to zero trust with each improvement.
The key to successfully achieving an incremental approach is choosing solutions that can easily support and integrate with what the organization already has, enabling the implementation of new security capabilities to support zero trust and extend security across the entire network at the same time.
So where is the best place to start? The truth is that when it comes to moving away from a perimeter-focused approach to security and embracing zero trust, the best starting point is the one able to be tackled first.
About the Author
Patrick MeLampy serves as a Juniper Fellow at Juniper Networks. Before joining Juniper Networks through acquisition, Patrick was the co-Founder, COO and CTO at 128 Technology. Prior to 128 Technology, Patrick was CTO and Founder of Acme Packet until it was acquired by Oracle in 2013. After the acquisition, Patrick served as Vice President of Product Development for Oracle Communications Network Session Delivery products. Patrick has an MBA from Boston University, and an Engineering Degree from University of Pittsburgh. Patrick has been awarded 35 patents in the telecommunications field.