Beginning the Zero Trust Journey with Software-Defined Perimeter Security
Sep 05, 2019
The “Zero Trust” approach to enterprise security has gained significant traction as a way to combat the increasing sophistication and complexity of cyber security risks. The basic concept behind Zero Trust is, as the name suggests, to trust nothing and no one; specifically, any user, application or service attempting to access a network must be verified as legitimate before access is granted. Once granted, access is limited to the specific parameters defined for that user, application or service.
Applying this principle, however, is easier said than done. Most traditional security strategies take a “castle and moat” approach and treat the enterprise network as a physical entity with clearly defined boundaries. Zero Trust, however, is designed to address today’s increasingly virtualized world, and therefore requires a fundamentally new mindset. Networks, moreover, have typically adopted the TCP/IP paradigm stack, where connections precede authentication (arguably making security an afterthought). Zero Trust reverses this logic by requiring authentication before connections are established, and by embedding security into every single connection and access request.
Another issue is a false perception – fueled largely by market hype -- of Zero Trust as an ironclad solution that renders businesses immune from cyber threats. Relatedly, vendors eager to close deals push the idea that Zero Trust can be implemented as a discrete, one-and-done solution. In the first instance, a false sense of security results. In the second, businesses underestimate the challenges and work required to deploy Zero Trust.
The fact is, Zero Trust is a massive, long-term undertaking, and teams building a business case for investment shouldn’t avoid that reality. Moreover, the model is not a panacea. Most enterprises require a hybrid environment (and partners who can manage such an environment), where traditional security technologies work in tandem with Zero Trust domains. Finally, Zero Trust requires an ongoing, enterprise-wide commitment that integrates people, processes and technology.
Zero Trust - A Titanic Endeavor
As originally defined by the Forrester Group, the Zero Trust model comprises five steps:
- Identify Sensitive Data
- Map the Flows of Sensitive Data
- Architect Zero Trust Micro-Perimeters
- Continuously Monitor Zero Trust Ecosystem with Security Analytics
- Embrace Security Automation and Orchestration
Each of these steps represents a major undertaking in and of itself. For example, step one and two – the identification of potentially sensitive data and mapping the flows of this data – require classifying and prioritizing myriad data from multiple sources based on complex criteria such as impact and probability. In other words, businesses must determine if data that poses a potentially catastrophic risk, but is highly unlikely to be exposed, should be a higher priority than data that poses a low-impact risk but has a relatively high probability of being exposed.
Given the cost and complexity of such enterprise-wide data identification and classification projects, the exhaustive, multi-step approach has proven to be impractical for many industries. For businesses seeking a manageable alternative to a full-blown Zero Trust undertaking, the Software-Defined Perimeter (SDP) paradigm represents a viable option.
From a technology standpoint, SDP solutions address the Zero Trust imperative of carving out specifically defined boundaries of access to different entities, regardless of physical location. So, for example, remote workers can access files related to their jobs, IT contractors can access applications they’re testing and suppliers can access orders of the products they’re supplying.
By defining and restricting network access based on the user profile and permissions, SDP enhances security and the ability to monitor vulnerabilities within the virtual network. SDP also assesses the context of each connection in terms of identity, time of day and location of the entity seeking access. And by decoupling security from the network used by each user (as VPNs intend to do), an SDP client improves security at a local level by securing user devices from inbound connections. This addresses concerns about malicious users accessing devices on public local networks.
SDP is also conducive to hybrid environments and a phased adoption of Zero Trust. Specifically, SDP architectures usually provide the tools to enable the architecting, monitoring and automation/orchestration stages of the Zero Trust model. SDP also simplifies things: While a pure Zero Trust approach identifies units of data to be classified and tagged, SDP identifies complete datasets of information (assets) regarding location in the data center. A “connector” then links these datasets to a separate controller element that considers the context (live entitlements) of each access request before providing the credentials and allowing the communication to happen.
Zero Trust security is a lofty and laudable aspiration for businesses facing potentially catastrophic cybersecurity threats. But like the thousand-mile journey, the road to Zero Trust begins with a single step. SDP solutions, coupled with effective processes, policies and procedures, can help you chart the right path.