Network Security Investment Priority #2: Zero Trust

Global Independent Study of 500 Senior Level Respondents Provides Clear Picture for the Future of Network Security

Resource Hub

The Future of
Network Security

This is part 3 of a 6-part series addressing The Future of Network Security findings. Read Part 1 here.

If traditional network defenses are visualized as castles and moats, Zero Trust Architectures (ZTAs) can be visualized more like a museum. Anyone can enter. They can sit on the benches and use the water fountains, but the treasures are individually secured with their own alarms and protective barriers. Employees have access only to the resources they need to do their jobs. There is no implicit trust. Instead, there is least privileged access. The person in charge of dinosaur bones can’t handle the gold chalices, and the person in charge of chalices can’t get close to the bones.

While Zero Trust Architectures (ZTAs) won’t replace traditional defenses overnight, their focus on restricting access and protecting individual resources is resonating with IT security leaders.  In The Future of Network Security, an independent study sponsored by FireMon, 17% of the 500 IT leaders who responded said they have begun implementing ZTAs as part of their network security strategy.  Another 69% plan to implement ZTA by 2023.

 

69% plan to implement ZTA by 2023

 

5 Top Drivers of Zero Trust Architecture

Zero Trust Architecture was rapidly being adopted before COVID-19, and interest only accelerated as the pandemic raged. Suddenly, the need to provide secure remote access at scale was critical, especially as hackers leaped into the void and the frequency of data breaches and ransomware attacks shot up.

5 Top Drivers for Zero Trust Architecture
Greater need for secure remote access due to COVID-19 26%
Reduce cybersecurity risk 25%
Streamline trusted user access to corporate applications 18%
Support transition to cloud architectures 18%
Manage risk from third-party software, BYOD, and shadow IT 14%

Zero Trust Architecture mitigates one of the greatest cybersecurity challenges businesses face today – the challenge of preventing lateral movement by unauthorized users.

The most common method attackers use to gain access to a network is through the use of stolen credentials, typically acquired through some sort of social engineering, such as a phishing attack or a malicious website. Once access has been achieved, an attacker will work to gain increased privileges, and then use those privileges to search for valuable assets, install back doors, and gain knowledge about the network that can be used to plot a future attack.

Stolen credentials gained through social engineering will always be the Achilles heel of a security strategy because human error is evergreen – so since unauthorized access can’t be completely stopped, it must be mitigated. ZTA addresses that reality by protecting the assets inside the network individually by setting policies at a granular level, using context to detect anomalous activity, and preventing compromised accounts from accessing resources.

Measuring Your Zero Trust Level
Zero Trust Contributors Zero Trust Inhibitors
  • Use of applications
  • Use of Users and User Groups
  • Use of URL filters
  • Use of data classification filters
  • Overly permissive rule sets
  • Unused rules
  • Hidden and shadowed rules
  • Compliance assessment failures

Defining Zero Trust

A Deeper Dive into Zero Trust Architecture

Microsegmentation

  • Software-based
  • Secures East-West traffic
  • Creates boundaries within East-West traffic

 

Next Generation Firewalls (NGFW) and Firewalls as a Service (FWaas)

  • Firewall interfaces are configured into connect network segments into security zones
  • Each zone is secured with a unique set of rules that only grant access to users, devices, and services that are authorized to access the zone

 

SD-WAN

  • SD-WAN connects to cloud providers and newer types of endpoints
  • SD-WAN handles encryption well but isn’t as good at authentication

 

Zero Trust Network Access (ZTNA)

  • The most widely-recognized architecture in ZTA
  • Creates an identity- and context-based boundary around a resource
  • Removes visibility of assets from unauthorized actors
  • Creates an identity- and context-based boundary around a resource

 

Secure Web Gateway (SWG)

  • Filters unsecured traffic and enforces policy compliance
  • Zero Trust

 

CASB

  • Discovers cloud services and assesses readiness according to policies

 

Network Security Policy Management

  • Visibility across heterogenous infrastructure
  • Policy orchestration to adapt to change and respond to threats without manual intervention
  • Ensure continuous compliance with zero trust policy

Zero Trust Architecture is not a product. Rather, it is a concept built on people, workloads, devices, networks, and data.

 

People
Zero Trust ensures that only authorized users gain access to the right apps and services.

User-centric technologies
JML/RBAC design
Two-factor authentication
Risk-based authentication
Privileged user management
Biometric-based authentication
Account segregation
Identity verification
Browser isolation technology

Workloads
Zero Trust identifies and categorizes workloads and to subjects them to the appropriate security controls.

Workload-centric technologies
cloud workload security
container security configuration
VM security configuration
runtime container security
web application firewalls
cloud security gateways
connectivity inventory
workload asset management

Devices
Zero Trust monitors endpoints to ensure their identities are trusted and the correct security policies are applied to them.

Device-centric technologies
Device asset management
Endpoint security suites
Device posture checking
Endpoint detection and response
Mobile security suites

Networks
Zero Trust applies strict access controls to networks through the use of network asset visibility.

Network-centric technologies
Network transmissions protocol security
Network device configuration management
Network security policy management
Vulnerability management
Software-based microsegmentation
Network segmentation, virtual and physical

Data
Zero Trust protects data at rest, in transit, or in use through the application of consistent data security policies.

Data-centric technologies
Data encryption
Data classification
Data asset classification
Data leakage prevention
File integrity monitoring

The Fundamentals of Zero Trust: Visibility and Orchestration

The ZTA system needs visibility in order to apply policies and control access properly. To acquire this visibility, three capabilities are necessary: open APIs, scalable data ingest, and customizable reporting.

3 Essential Capabilities for ZTA Success
Open APIs Scalable Data Ingest Customizable Reporting
The use of open APIs will enable the organization to extract data from the entire network. This supports visibility by providing a way to capture insights from any connected system. As systems are connected via APIs, the volume of data entering the network balloons. Scalable data ingest allows data ingestion in real-time, which is another pillar of visibility. With so much data, there needs to be a way to understand it. And while all networks are unique, ZTA networks are especially so — every partition is a micro-network with its own workloads, devices, users, and resources. Customizable reports enable you to make fast assessments.

Orchestrate the Management of Zero Trust Architecture

Traditional change management approaches won’t work with ZTA. There are too many contingencies to handle –and that means too many unintended consequences to account for. Instead, orchestration is used to automatically tell enforcement points how to behave.

That behavior isn’t really about following rules. It’s more about intent. Intent can be managed with a network security policy management solution that orchestrates activities between people, workloads, devices, networks, and data. These activities enrich an analytics loop that in turn helps the orchestration perform better as more intelligence is acquired.

Security teams can set a single global policy that applies to all network resources, no matter what the composition of the network is at any given moment. Intent-based security maps the overall security goal to specific rules, checks the design against all possible contingencies, scores the risk, and pushes it to the enforcement point. The results of the policy are monitored, ideally in real-time, and the network is commanded to adapt to changes.

The entire rule lifecycle must be automated for ZTA to be effective. Organizations already recognize the need for automation in the security policy management process – 98 report they’ve already automated their security policy management to some degree, and almost 80% plan to implement security orchestration and automation within two years.

NSPM is a strategic investment

90% of organizations say NPSM helps them improve speed and responsiveness. More than half intend to invest in NSPM in 2021.

When the Network is Everywhere, So are the Policies

Zero Trust Architecture creates so many endpoints that it would be impossible to manage them all manually. Rule sprawl and complexity are a natural consequence of Zero Trust Architecture, but they can be controlled with network security policy management. NSPM automates and orchestrates the processes that support visibility, analytics, and policy enforcement in a Zero Trust environment.

 

The Value of Zero Trust
Visibility Orchestration Integration Analytics Compliance Risk Analysis
Unified visibility across a heterogeneous infrastructure Leverage existing IT infrastructure, PEPs, and workflows. Flexible APIs will simplify integration Query policy across heterogeneous infrastructure, leverage access path analysis to pinpoint risky connections Ensure continuous compliance, conduct pre-change assessments, and notify security and compliance teams when violations occur Provides insights into risk across the environment and provides recommended remediations

3 Principals for Implementing Zero Trust

  • Leverage existing infrastructures and processes that support Zero Trust, such as CASB, SD-WAN, NGFWs, FWaaS, and SWGs.
  • Policy is the heart of a Zero Trust Architecture, so acquire the ability to visualize, normalize, manage, and monitor rules across the entire network, including all endpoints.
  • Use a network security policy management solution to gain visibility, integration, orchestration, compliance, analytics, and risk analysis.

Zero Trust is now essential

Since 2018, FireMon has been recognized by Forrester as a Zero Trust platform.

According to Forrester, to be a Zero Trust platform, vendors must:

  • Offer market-leading capabilities in at least three Zero Trust components
  • Create unique technical advantages to solution integration
  • Develop and support robust APIs and a partner ecosystem

 

FireMon delivers the necessary scalability, and real-time visibility to support Zero Trust – all driven by robust APIs and airtight integrations.

 

See for yourself