E-guide
Implementing a Zero-
Trust Approach to
Network Security
� E-guide
In this e-guide
The growing number of users with legitimate reasons to access
Zero-Trust Security Means
network resources, coupled with the increasing deprecation of
New Thinking Plus Practical the perimeter means designating users as being internal or
Steps p.2 external is becoming meaningless.
Microsegmentation Security: Using a zero-trust approach to network security means there is
Your Key to Zero Trust p.6 no need to differentiate between the two types of threat; every
potential threat is treated in the same way.
Key Steps to Put Your Zero-
Trust Security Plan Into Action
However, implementing zero trust requires creating detailed
pppppppppppppppppppp p.11
policies and devising certain "hoops" which those wanting
About SearchSecurity p.15
access to critical infrastructure must jump through.
In this e-guide, explore:
• A comprehensive explanation of what zero trust means
(Hint: its more than a policy of trusting nothing and no
one)
• The concrete benefits of a zero-trust security policy
• The practical steps to take when implementing zero trust
• And more
Page 1 of 15
� E-guide
In this e-guide
Zero-trust security means new thinking
Zero-Trust Security Means plus practical steps
New Thinking Plus Practical
Steps p.2 Johna Johnson, President and Senior Founding Partner at Nemertes Research
Microsegmentation Security:
By now, you've probably heard about zero-trust security, but you may be
Your Key to Zero Trust p.6 unsure how to implement it. Part of the problem is the name. Zero-trust
sounds good, but putting the concept of never trust anything ever into
practice is literally impossible. If users never trust any system, user, device,
Key Steps to Put Your Zero-
Trust Security Plan Into Action application or process, the enterprise would be unable to function.
pppppppppppppppppppp p.11
A more accurate -- if clunkier -- name would be highly granular and
distributed trust. That is, the concept behind zero trust is actually highly
About SearchSecurity p.15
granular control of distributed trust. A session of type X between devices Y
and Z may be permitted, but not all sessions of type X or all sessions of any
type between devices Y and Z should be trusted.
Those twin concepts -- highly granular and distributed trust -- form the twin
lynchpins of zero-trust security. Zero trust relies on -- and demands -- a
deep knowledge of systems and data so IT can put meaningful boundaries
around systems, processes, applications and users everywhere.
Page 2 of 15
� E-guide
Zero-trust security, therefore, requires IT to radically rethink networks,
In this e-guide including the roles -- and even the existence -- of conventional and separate
routers, firewalls, distributed denial-of-service defenses, network
Zero-Trust Security Means segmentation products, and all the other familiar network elements. Security
New Thinking Plus Practical
functions, which are increasingly virtualized and modularized as virtual
Steps p.2
appliances and virtualized network functions, can be implemented
throughout the infrastructure as needed.
Microsegmentation Security:
Your Key to Zero Trust p.6 Zero trust also places security automation at the heart of security
operations and brings with it all the benefits of automation: reliability, agility
Key Steps to Put Your Zero- and scalability.
Trust Security Plan Into Action
pppppppppppppppppppp p.11
Zero-trust practicalities
About SearchSecurity p.15
How should cybersecurity practitioners take all these concepts -- using
highly granular and distributed trust, rethinking network design,
implementing automation -- and turn them into practical steps?
The first place to start is virtualization. Computing and application
virtualization are relatively mature. Most organizations have moved toward
virtualized servers, and many have implemented a microservices- and
container-based software development paradigm. So implementing zero
trust at the computing and application layer starts with trying to provide
Page 3 of 15
� E-guide
granular, distributed security to these virtual machines (VMs), microservices
In this e-guide and containers.
Zero-Trust Security Means Tools from vendors such as Aqua Security, Capsule8, Layered Insight,
New Thinking Plus Practical NeuVector, StackRox, Tenable and Twistlock can provide container-based
Steps p.2 security. Tools like JSON Web Tokens can assist with microservices
security.
Microsegmentation Security:
Your Key to Zero Trust p.6 Networking infrastructure, however, is significantly less mature. Many
organizations still construct networks via a portfolio of physical devices --
switches, routers, firewalls, load balancers, gateways, etc.
Key Steps to Put Your Zero-
Trust Security Plan Into Action
A critical step when implementing zero-trust security within a network
pppppppppppppppppppp p.11
infrastructure is the move to virtualization. Implementing software-defined
networking in the data center and SD-WAN in the WAN provides the
About SearchSecurity p.15
necessary platform to instantiate network and network security functions as
VMs rather than physical devices. A firewall, for instance, might become a
firewall VM in a branch-in-a-box SD-WAN device. This, in turn, enables
automated and granular control of the functionality.
Page 4 of 15
� E-guide
In this e-guide
Getting to zero
Zero-Trust Security Means Traditional security and networking vendors like Cisco, Checkpoint, Juniper
New Thinking Plus Practical Networks, Fortinet and Palo Alto Networks and emerging providers like 128
Steps p.2
Technology are offering these types of virtualized products that provide
granular control over individual sessions, along with dynamic reconfiguration
Microsegmentation Security: of permissions. It's worth revisiting both the traditional and emerging players
Your Key to Zero Trust p.6
to assess their degree of virtualization.
Key Steps to Put Your Zero- It's also important to think about centralized policy when choosing a tool.
Trust Security Plan Into Action Some vendors are beginning to make a play toward becoming the network
pppppppppppppppppppp p.11 policy engine, providing hooks into a range of partner technologies that can
implement the centralized policy. Regardless of which vendor you wish to
About SearchSecurity p.15 anoint as the policy engine, it's critical to think in terms of having a
centralized policy repository from which you can make changes that ripple
out to the entire infrastructure.
The bottom line? Even though zero-trust security isn't what its name implies,
it will ultimately change everything. And, when implementing it, network
infrastructure is the weakest link, so pay special attention to virtualizing and
securing your network infrastructure.
Next Article
Page 5 of 15
� E-guide
In this e-guide
Microsegmentation security: Your key to
Zero-Trust Security Means zero trust
New Thinking Plus Practical
Steps p.2 Dave Shackleford, Principal Consultant at Voodoo Security
Microsegmentation Security:
There are many tools and controls available that can help monitor internal
Your Key to Zero Trust p.6 workloads and data moving between hybrid cloud environments. But above
all, enterprises need to adopt one overarching theme when designing a
dynamic security architecture model: zero trust.
Key Steps to Put Your Zero-
Trust Security Plan Into Action
In order to implement a zero-trust model, security and operations teams will
pppppppppppppppppppp p.11
need to focus on two key concepts. First, security will need to be integrated
into the workloads themselves, and will move with the instances and data as
About SearchSecurity p.15
they migrate between internal and public cloud environments. Second, the
actual behavior of the applications and services running on each system will
need to be much better understood, and the relationships between systems
and applications will need more intense scrutiny than ever to facilitate a
highly restricted, zero-trust operations model.
Page 6 of 15
� E-guide
In this e-guide
Automating zero trust microsegmentation security
Zero-Trust Security Means As hybrid cloud architectures become the new norm, many organizations
New Thinking Plus Practical are focusing heavily on automation, far beyond what we've traditionally seen
Steps p.2
in enterprise data centers. In order to automate the implementation of a
granular microsegmentation security strategy, visibility into the network
Microsegmentation Security: traffic and both the workload and application configurations will be needed.
Your Key to Zero Trust p.6
This is really the key to transforming a segmentation strategy into one that
adheres to zero-trust principles.
Key Steps to Put Your Zero-
Trust Security Plan Into Action By creating a layer of policy enforcement that travels with workloads
pppppppppppppppppppp p.11 wherever they go, organizations have a much stronger chance of protecting
data regardless of where the instance runs. In some ways, this does shift
About SearchSecurity p.15 security policy and access control back to the individual instances versus
solely within the network itself, but hybrid cloud architecture designs don't
easily accommodate traditional networking models of segmentation.
Dynamic assets like virtual instances (running on virtualization infrastructure
technology) and containers are difficult to position behind "fixed" network
enforcement points, so organizations can adopt a zero-trust
microsegmentation security strategy that only allows traffic to flow between
approved systems and connections, regardless of the environment they are
in. Virtual systems can employ a hypervisor backplane that all
communications and behaviors are linked to, facilitating zero trust in a more
Page 7 of 15
� E-guide
scalable way. There are also physical models that accomplish this, too, using
In this e-guide specific network switches and connectivity platforms that have policy
evaluation controls built in.
Zero-Trust Security Means
New Thinking Plus Practical
Steps p.2
Microsegmentation Security:
Your Key to Zero Trust p.6
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 8 of 15
� E-guide
In this e-guide
What zero-trust microsegmentation security
Zero-Trust Security Means
delivers
New Thinking Plus Practical
Zero-trust microsegmentation prevents attackers from using unapproved
Steps p.2
connections to move laterally from a compromised application or system
regardless of environment. Essentially, zero trust facilitates the creation of
Microsegmentation Security:
"affinity policies," where systems have relationships and approved
Your Key to Zero Trust p.6
applications and traffic, and any attempted communications are evaluated
and compared against these policies to determine whether the actions
Key Steps to Put Your Zero-
should be permitted. This happens continuously, and effective zero-trust
Trust Security Plan Into Action
control technology will also include some sort of machine learning
pppppppppppppppppppp p.11
capabilities to perform analytics processing of attempted behaviors,
adapting dynamically over time to changes in the workloads and application
About SearchSecurity p.15
environments.
By potentially eliminating lateral movement, a zero-trust microsegmentation
security model also reduces the post-compromise risk when an attacker has
illicitly gained access to an asset within a data center or cloud environment.
Cloud design and operations teams -- and often DevOps teams -- refer to
this as limiting the "blast radius" of an attack, as any damage is contained to
the smallest possible surface area, and attackers are prevented from using
one compromised asset to access another. This works not only by
controlling asset-to-asset communication, but also by evaluating the actual
Page 9 of 15
� E-guide
applications running and assessing what these applications are trying to do.
In this e-guide For example, if an application workload -- like web services such as Nginx or
Apache -- is legitimately permitted to communicate with a database server,
Zero-Trust Security Means the attacker would have to compromise the system and then perfectly
New Thinking Plus Practical
emulate the web services in trying to laterally move to the database server --
Steps p.2
even issuing traffic directly from the local binaries and services installed.
Microsegmentation Security: These are just a few of the benefits of a zero-trust segmentation strategy
Your Key to Zero Trust p.6 that can definitely help organizations to implement granular access control
policies across their internal and cloud data centers.
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11 Next Article
About SearchSecurity p.15
Page 10 of 15
� E-guide
In this e-guide
Key steps to put your zero-trust security
Zero-Trust Security Means plan into action
New Thinking Plus Practical
Steps p.2 Dave Shackleford, Principal Consultant at Voodoo Security
Microsegmentation Security:
A zero-trust microsegmentation model for access control potentially has
Your Key to Zero Trust p.6 many benefits, but implementing this technology strategy requires
significant planning and coordination across teams. The first decision that
an organization will need to make is that of which technology to select in
Key Steps to Put Your Zero-
Trust Security Plan Into Action implementing zero-trust security. There are a number of vendors that offer
pppppppppppppppppppp p.11 microsegmentation tools, and there are many differences between the
various products:
About SearchSecurity p.15
• Network-centric products: Well-known networking companies have
begun to offer microsegmentation policy engines and enforcement
controls within network switches and other connectivity platforms.
The benefit of these products is usually a unified approach across
that vendor's hardware and often other vendors' as well, as long as
the network traffic crosses their switches. Drawbacks include vendor
lock-in and costs, as well as some potential limitations in moving to
cloud scenarios.
• Virtualization-specific products: Leading hypervisor providers may
offer zero-trust microsegmentation platforms, as well. These benefit
Page 11 of 15
� E-guide
from deep integration with both the hypervisor and software-defined
In this e-guide networking, but may not be as applicable to physical systems.
• Stand-alone zero-trust security software: This is software that has its
Zero-Trust Security Means
own unique policy engine, as well as host-based software. While this
option may be the most flexible in some ways across internal and
New Thinking Plus Practical
cloud environments, it could also be prone to vendor lock-in and
Steps p.2
performance issues.
Microsegmentation Security: While looking at
Your Key to Zero Trust p.6 options, be sure to
consider platform
Key Steps to Put Your Zero- compatibility (some
Trust Security Plan Into Action legacy systems or
pppppppppppppppppppp p.11
certain operating
systems may not be
About SearchSecurity p.15 wholly compatible),
availability in cloud
environments, and
complexity or
operational
requirements for
management and
ongoing maintenance.
Page 12 of 15
� E-guide
In this e-guide
Putting a zero-trust security tool to work
Zero-Trust Security Means Once the platform or tool of choice is selected, the next major planning
New Thinking Plus Practical element -- besides installation -- is policy design. Most of the leading
Steps p.2
providers of zero-trust security tools offer a form of "learning mode" that
you can start out in, and that's definitely the right choice for almost all
Microsegmentation Security: organizations -- enable the zero-trust engine and then monitor for what it
Your Key to Zero Trust p.6
sees. What you're looking to do is monitor what types of applications and
services are communicating between systems and network segments, and
Key Steps to Put Your Zero- map the communications to evaluate what is likely sanctioned and what
Trust Security Plan Into Action
might be malicious or unwanted traffic. When planning your policies, be sure
pppppppppppppppppppp p.11
to work closely with application, desktop and server operations teams to
better understand what is actually running in your environment, as these
About SearchSecurity p.15
teams will likely have a more accurate view of what communications should
be in place. This way, you can build consensus on policy implementation
before actually locking anything down.
At the same time, it's helpful to think about a "tagging" or "grouping" model
that makes the most sense in your zero-trust security architecture. In other
words, what systems are alike and which systems should be communicating
as part of defined application workloads? Common grouping strategies
include business units (systems owned or maintained by a specific group or
functioning as part of a business group), platform or application similarity (all
Page 13 of 15
� E-guide
databases or Windows servers, for example), and sensitivity levels (all
In this e-guide systems in scope for PCI DSS compliance or those handling financial
transactions). Choosing sound grouping for policies will enable them to be
Zero-Trust Security Means implemented more quickly and effectively; it may also make the policy
New Thinking Plus Practical
design and governance discussions easier, since you'll likely be working with
Steps p.2
existing teams that know how their applications should be functioning.
Microsegmentation Security:
Your Key to Zero Trust p.6 About SearchSecurity
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
About SearchSecurity p.15
Page 14 of 15
� E-guide
In this e-guide
About SearchSecurity
Zero-Trust Security Means
IT security pros turn to SearchSecurity.com for the information they require
New Thinking Plus Practical
Steps p.2
to keep their corporate data, systems and assets secure. We're the only
information resource that provides immediate access to breaking industry
news, virus alerts, new hacker threats and attacks, security certification
Microsegmentation Security:
Your Key to Zero Trust p.6
training resources, security standard compliance, webcasts, white papers,
podcasts, Security Schools, a selection of highly focused security
newsletters and more -- all at no cost.
Key Steps to Put Your Zero-
Trust Security Plan Into Action
pppppppppppppppppppp p.11
For further reading, visit
About SearchSecurity p.15 SearchSecurity.com
Images; Fotalia
©2019 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means
without written permission from the publisher.
Page 15 of 15
