E-guide

Implementing a Zero-
Trust Approach to
Network Security
 E-guide

In this e-guide
The growing number of users with legitimate reasons to access
Zero-Trust Security Means
network resources, coupled with the increasing deprecation of
New Thinking Plus Practical the perimeter means designating users as being internal or
Steps p.2 external is becoming meaningless.

Microsegmentation Security: Using a zero-trust approach to network security means there is

Your Key to Zero Trust p.6 no need to differentiate between the two types of threat; every
potential threat is treated in the same way.
Key Steps to Put Your Zero-
Trust Security Plan Into Action
However, implementing zero trust requires creating detailed
pppppppppppppppppppp p.11
policies and devising certain "hoops" which those wanting
About SearchSecurity p.15
access to critical infrastructure must jump through.

In this e-guide, explore:

• A comprehensive explanation of what zero trust means

(Hint: its more than a policy of trusting nothing and no
one)
• The concrete benefits of a zero-trust security policy
• The practical steps to take when implementing zero trust
• And more

Page 1 of 15
 E-guide
In this e-guide
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2
Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 2 of 15
Zero-trust security means new thinking
plus practical steps
Johna Johnson, President and Senior Founding Partner at Nemertes Research
By now, you've probably heard about zero-trust security, but you may be
unsure how to implement it. Part of the problem is the name. Zero-trust
sounds good, but putting the concept of never trust anything ever into
practice is literally impossible. If users never trust any system, user, device,
application or process, the enterprise would be unable to function.
A more accurate -- if clunkier -- name would be highly granular and
distributed trust. That is, the concept behind zero trust is actually highly
granular control of distributed trust. A session of type X between devices Y
and Z may be permitted, but not all sessions of type X or all sessions of any
type between devices Y and Z should be trusted.
Those twin concepts -- highly granular and distributed trust -- form the twin
lynchpins of zero-trust security. Zero trust relies on -- and demands -- a
deep knowledge of systems and data so IT can put meaningful boundaries
around systems, processes, applications and users everywhere.
 E-guide
In this e-guide
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2
Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 3 of 15
Zero-trust security, therefore, requires IT to radically rethink networks,
including the roles -- and even the existence -- of conventional and separate
routers, firewalls, distributed denial-of-service defenses, network
segmentation products, and all the other familiar network elements. Security
functions, which are increasingly virtualized and modularized as virtual
appliances and virtualized network functions, can be implemented
throughout the infrastructure as needed.
Zero trust also places security automation at the heart of security
operations and brings with it all the benefits of automation: reliability, agility
and scalability.
Zero-trust practicalities
How should cybersecurity practitioners take all these concepts -- using
highly granular and distributed trust, rethinking network design,
implementing automation -- and turn them into practical steps?
The first place to start is virtualization. Computing and application
virtualization are relatively mature. Most organizations have moved toward
virtualized servers, and many have implemented a microservices- and
container-based software development paradigm. So implementing zero
trust at the computing and application layer starts with trying to provide
 E-guide
In this e-guide
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2
Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 4 of 15
granular, distributed security to these virtual machines (VMs), microservices
and containers.
Tools from vendors such as Aqua Security, Capsule8, Layered Insight,
NeuVector, StackRox, Tenable and Twistlock can provide container-based
security. Tools like JSON Web Tokens can assist with microservices
security.
Networking infrastructure, however, is significantly less mature. Many
organizations still construct networks via a portfolio of physical devices --
switches, routers, firewalls, load balancers, gateways, etc.
A critical step when implementing zero-trust security within a network
infrastructure is the move to virtualization. Implementing software-defined
networking in the data center and SD-WAN in the WAN provides the
necessary platform to instantiate network and network security functions as
VMs rather than physical devices. A firewall, for instance, might become a
firewall VM in a branch-in-a-box SD-WAN device. This, in turn, enables
automated and granular control of the functionality.
 E-guide
In this e-guide
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2
Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 5 of 15
Getting to zero
Traditional security and networking vendors like Cisco, Checkpoint, Juniper
Networks, Fortinet and Palo Alto Networks and emerging providers like 128
Technology are offering these types of virtualized products that provide
granular control over individual sessions, along with dynamic reconfiguration
of permissions. It's worth revisiting both the traditional and emerging players
to assess their degree of virtualization.
It's also important to think about centralized policy when choosing a tool.
Some vendors are beginning to make a play toward becoming the network
policy engine, providing hooks into a range of partner technologies that can
implement the centralized policy. Regardless of which vendor you wish to
anoint as the policy engine, it's critical to think in terms of having a
centralized policy repository from which you can make changes that ripple
out to the entire infrastructure.
The bottom line? Even though zero-trust security isn't what its name implies,
it will ultimately change everything. And, when implementing it, network
infrastructure is the weakest link, so pay special attention to virtualizing and
securing your network infrastructure.
Next Article
 E-guide
In this e-guide
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2
Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 6 of 15
Microsegmentation security: Your key to
zero trust
Dave Shackleford, Principal Consultant at Voodoo Security
There are many tools and controls available that can help monitor internal
workloads and data moving between hybrid cloud environments. But above
all, enterprises need to adopt one overarching theme when designing a
dynamic security architecture model: zero trust.
In order to implement a zero-trust model, security and operations teams will
need to focus on two key concepts. First, security will need to be integrated
into the workloads themselves, and will move with the instances and data as
they migrate between internal and public cloud environments. Second, the
actual behavior of the applications and services running on each system will
need to be much better understood, and the relationships between systems
and applications will need more intense scrutiny than ever to facilitate a
highly restricted, zero-trust operations model.
 E-guide
In this e-guide
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2
Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 7 of 15
Automating zero trust microsegmentation security
As hybrid cloud architectures become the new norm, many organizations
are focusing heavily on automation, far beyond what we've traditionally seen
in enterprise data centers. In order to automate the implementation of a
granular microsegmentation security strategy, visibility into the network
traffic and both the workload and application configurations will be needed.
This is really the key to transforming a segmentation strategy into one that
adheres to zero-trust principles.
By creating a layer of policy enforcement that travels with workloads
wherever they go, organizations have a much stronger chance of protecting
data regardless of where the instance runs. In some ways, this does shift
security policy and access control back to the individual instances versus
solely within the network itself, but hybrid cloud architecture designs don't
easily accommodate traditional networking models of segmentation.
Dynamic assets like virtual instances (running on virtualization infrastructure
technology) and containers are difficult to position behind "fixed" network
enforcement points, so organizations can adopt a zero-trust
microsegmentation security strategy that only allows traffic to flow between
approved systems and connections, regardless of the environment they are
in. Virtual systems can employ a hypervisor backplane that all
communications and behaviors are linked to, facilitating zero trust in a more
 E-guide

scalable way. There are also physical models that accomplish this, too, using
In this e-guide specific network switches and connectivity platforms that have policy
evaluation controls built in.
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2

Microsegmentation Security:
Your Key to Zero Trust p.6

Key Steps to Put Your Zero-

Trust Security Plan Into Action
pppppppppppppppppppp p.11

About SearchSecurity p.15

Page 8 of 15
 E-guide

In this e-guide
What zero-trust microsegmentation security
Zero-Trust Security Means
delivers
New Thinking Plus Practical
Zero-trust microsegmentation prevents attackers from using unapproved
Steps p.2
connections to move laterally from a compromised application or system
regardless of environment. Essentially, zero trust facilitates the creation of
Microsegmentation Security:
"affinity policies," where systems have relationships and approved
Your Key to Zero Trust p.6
applications and traffic, and any attempted communications are evaluated
and compared against these policies to determine whether the actions
Key Steps to Put Your Zero-
should be permitted. This happens continuously, and effective zero-trust
Trust Security Plan Into Action
control technology will also include some sort of machine learning
pppppppppppppppppppp p.11
capabilities to perform analytics processing of attempted behaviors,
adapting dynamically over time to changes in the workloads and application
About SearchSecurity p.15
environments.

By potentially eliminating lateral movement, a zero-trust microsegmentation

security model also reduces the post-compromise risk when an attacker has
illicitly gained access to an asset within a data center or cloud environment.
Cloud design and operations teams -- and often DevOps teams -- refer to
this as limiting the "blast radius" of an attack, as any damage is contained to
the smallest possible surface area, and attackers are prevented from using
one compromised asset to access another. This works not only by
controlling asset-to-asset communication, but also by evaluating the actual

Page 9 of 15
 E-guide

applications running and assessing what these applications are trying to do.
In this e-guide For example, if an application workload -- like web services such as Nginx or
Apache -- is legitimately permitted to communicate with a database server,
Zero-Trust Security Means the attacker would have to compromise the system and then perfectly
New Thinking Plus Practical
emulate the web services in trying to laterally move to the database server --
Steps p.2
even issuing traffic directly from the local binaries and services installed.

Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
These are just a few of the benefits of a zero-trust segmentation strategy
that can definitely help organizations to implement granular access control
policies across their internal and cloud data centers.
Next Article

About SearchSecurity p.15

Page 10 of 15
 E-guide
In this e-guide
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2
Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 11 of 15
Key steps to put your zero-trust security
plan into action
Dave Shackleford, Principal Consultant at Voodoo Security
A zero-trust microsegmentation model for access control potentially has
many benefits, but implementing this technology strategy requires
significant planning and coordination across teams. The first decision that
an organization will need to make is that of which technology to select in
implementing zero-trust security. There are a number of vendors that offer
microsegmentation tools, and there are many differences between the
various products:
• Network-centric products: Well-known networking companies have
begun to offer microsegmentation policy engines and enforcement
controls within network switches and other connectivity platforms.
The benefit of these products is usually a unified approach across
that vendor's hardware and often other vendors' as well, as long as
the network traffic crosses their switches. Drawbacks include vendor
lock-in and costs, as well as some potential limitations in moving to
cloud scenarios.
• Virtualization-specific products: Leading hypervisor providers may
offer zero-trust microsegmentation platforms, as well. These benefit
 E-guide

from deep integration with both the hypervisor and software-defined

In this e-guide networking, but may not be as applicable to physical systems.
• Stand-alone zero-trust security software: This is software that has its
Zero-Trust Security Means
own unique policy engine, as well as host-based software. While this
option may be the most flexible in some ways across internal and
New Thinking Plus Practical
cloud environments, it could also be prone to vendor lock-in and
Steps p.2
performance issues.

Microsegmentation Security: While looking at

Your Key to Zero Trust p.6 options, be sure to
consider platform
Key Steps to Put Your Zero- compatibility (some
Trust Security Plan Into Action legacy systems or
pppppppppppppppppppp p.11
certain operating
systems may not be
About SearchSecurity p.15 wholly compatible),
availability in cloud
environments, and
complexity or
operational
requirements for
management and
ongoing maintenance.

Page 12 of 15
 E-guide
In this e-guide
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2
Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 13 of 15
Putting a zero-trust security tool to work
Once the platform or tool of choice is selected, the next major planning
element -- besides installation -- is policy design. Most of the leading
providers of zero-trust security tools offer a form of "learning mode" that
you can start out in, and that's definitely the right choice for almost all
organizations -- enable the zero-trust engine and then monitor for what it
sees. What you're looking to do is monitor what types of applications and
services are communicating between systems and network segments, and
map the communications to evaluate what is likely sanctioned and what
might be malicious or unwanted traffic. When planning your policies, be sure
to work closely with application, desktop and server operations teams to
better understand what is actually running in your environment, as these
teams will likely have a more accurate view of what communications should
be in place. This way, you can build consensus on policy implementation
before actually locking anything down.
At the same time, it's helpful to think about a "tagging" or "grouping" model
that makes the most sense in your zero-trust security architecture. In other
words, what systems are alike and which systems should be communicating
as part of defined application workloads? Common grouping strategies
include business units (systems owned or maintained by a specific group or
functioning as part of a business group), platform or application similarity (all
 E-guide

databases or Windows servers, for example), and sensitivity levels (all

In this e-guide systems in scope for PCI DSS compliance or those handling financial
transactions). Choosing sound grouping for policies will enable them to be
Zero-Trust Security Means implemented more quickly and effectively; it may also make the policy
New Thinking Plus Practical
design and governance discussions easier, since you'll likely be working with
Steps p.2
existing teams that know how their applications should be functioning.

Microsegmentation Security:
Your Key to Zero Trust p.6 About SearchSecurity

Key Steps to Put Your Zero-

Trust Security Plan Into Action
pppppppppppppppppppp p.11

About SearchSecurity p.15

Page 14 of 15
 E-guide

In this e-guide
About SearchSecurity
Zero-Trust Security Means
IT security pros turn to SearchSecurity.com for the information they require
New Thinking Plus Practical
Steps p.2
to keep their corporate data, systems and assets secure. We're the only
information resource that provides immediate access to breaking industry
news, virus alerts, new hacker threats and attacks, security certification
Microsegmentation Security:
Your Key to Zero Trust p.6
training resources, security standard compliance, webcasts, white papers,
podcasts, Security Schools, a selection of highly focused security
newsletters and more -- all at no cost.
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
For further reading, visit
About SearchSecurity p.15 SearchSecurity.com
Images; Fotalia

©2019 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means
without written permission from the publisher.

Page 15 of 15