Zero Trust is Not Enough: The Case for Intent-Based Segmentation

monitor-1307227_1280.jpg

Network Monitoring
(Image: Pixabay)

Organizations have begun moving to a Zero Trust security model. Zero Trust mandates a “never trust, always verify, and enforce least privilege” approach to access, from both outside and inside the network.  You start with the idea that traffic inside the perimeter should be no more trusted than traffic outside the perimeter.   Simple trust models based on whether the traffic is inside or outside the perimeter is clearly no longer adequate.  Zero Trust networking principles include:

  • Traffic inside the perimeter should be trusted no more than external traffic

  • All requests for network access should be verified, authenticated and validated on need to know basis
  • All traffic should be inspected and logged

Redesigning the network using a Zero Trust approach, then, starts with data classification and process mapping by asking the question, “if this device were compromised, what data and resources could it access and compromise?” And you repeat that process for every user and device connected to the network.

Of course, there are some limitations to such an approach. The first is that if you restrict access  too tightly or take too long to verify the access request, you create bottle necks - crippling your network. In addition, there are other issues that can affect confidentiality, integrity and availability of data which Zero Trust doesn’t address including DDoS, human error, unintended consequences of patching or network problems. 

The critical idea is to drive security deep into the network itself. One approach is to deploy traditional security devices inside the network to enforce firewall rules, inspect traffic, detect abnormal behavior, and encrypt data.  The challenge is that perimeter security devices were only designed to provide security at the connection speeds provided by your ISP. However, internal traffic is not constrained by such connectivity limitations, and can quickly overwhelm traditional security tools.

Inspecting encrypted traffic between servers or endpoint devices is another challenge. Encrypted traffic inspection is exceptionally CPU-intensive, and will force most traditional NGFW solutions to their knees.

The other challenge is that today’s networks are highly dynamic and distributed, while many security tools—especially point defense products, were designed to protect a specific spot on the perimeter and tend to be static in terms of visibility and span of control. When deployed internally, they can impose limitations in the network’s ability to quickly adapt to changing requirements and shifting resources.

The need for dynamic segmentation

A better approach would be to implement a dynamic segmentation strategy that isolates devices, applications, and workflows based on business and security requirements. Network Access Control can identify and keep track of any device connecting to the network and determine its role and corresponding network privilege. This allows the network to immediately isolate that device to the specific role it plays and the sort of data it needs to generate or process.

While VLANs have historically been used to segment traffic, they do not have adequate security and are not able to seamlessly span distributed network environments.  Instead, organizations should consider using Internal Segmentation Firewalls (ISFWs) which provide the scalability, span of control and performance inside the network that traditional NGFW solutions can't match, as well as the security and span-of-control that VLANs don’t provide.

ISFWs allow administrators to dynamically and intelligently segment the network based on a variety of policies. Segments can be zoned based on a physical location, such as a building or floor, to dynamically shifting applications or workflows, or they can even be restricted to a single device. Furthermore, policy-driven segmentation can assign different levels of security inspection and cross-segment clearance based on a user’s identity or the role of a device to enable authorized east-west movement across the network. 

Intelligent, intent-based segmentation

Digital transformation requires that businesses respond to consumer and market demands at ever faster speeds. Intent-based networking, for example, converts business language to networking rules, allowing users to focus on business objectives rather than networking protocols. Likewise, intent-based segmentation can interpret business and security requirements, such as the services and resources that a workflow needs to access, and converts that into a specific segmentation policy that protects and isolates it along its transactional path.

Establishing and securing workflows that move across highly complex, widely distributed, and continuously shifting networks can generate significant overhead for IT and security teams. To keep up, security needs to be able to understand business intent and then dynamically apply security protocols, including segmentation and inspection at machine speeds.

In addition to interpreting business intent on the front end, intent-based segmentation also relies on an integrated security framework that enables different tools deployed in different segments of the network to see and interact with each other.  This allows them to detect and respond to threats occurring anywhere across the distributed environment, and dynamically adapt the policies governing a network segment. By combining traditional segmentation and Zero Trust principles, Intent-based Segmentation offers a holistic, integrated security architecture that can adapt to changing requirements, detect and mitigate advanced threats, as well as grant variable access on need-to -know basis.

Conclusion

Today’s digital economy requires a security approach that allows data, applications, and workflows to move freely across a distributed network while avoiding an open environment where attackers can easily move and cause damage. Intent-based Segmentation enables the flexibility and adaptability that today's networks require, without compromising on security or performance.