By now, you’ve probably heard about zero-trust , but you may be unsure how to implement it. Part of the problem is the name. Zero-trust sounds good, but putting the concept of never trust anything ever into practice is literally impossible. If users never trust any system, user, device, application or process, the would be unable to function.

A more accurate — if clunkier — name would be highly granular and distributed trust. That is, the concept behind zero trust is actually highly granular control of distributed trust. A session of type X between devices Y and Z may be permitted, but not all sessions of type X or all sessions of any type between devices Y and Z should be trusted.

Those twin concepts — highly granular and distributed trust — form the twin lynchpins of zero-trust security. Zero trust relies on — and demands — a knowledge of systems and so IT can put meaningful boundaries around systems, processes, applications and users everywhere.

Zero-trust security, therefore, requires IT to radically rethink networks, including the roles — and even the existence — of conventional and separate routers, firewalls, distributed denial-of-service defenses, network segmentation products, and all the other familiar network elements. Security functions, which are increasingly virtualized and modularized as virtual appliances and virtualized network functions, can be implemented throughout the as needed.

Zero trust also places security automation at the heart of security operations and brings with it all the benefits of automation: reliability, agility and scalability.

Zero-trust practicalities

How should cybersecurity practitioners take all these concepts — using highly granular and distributed trust, rethinking network design, implementing automation — and turn them into practical steps?

The first place to start is virtualization. Computing and application virtualization are relatively mature. Most organizations have moved toward virtualized servers, and many have implemented a microservices- and container-based development paradigm. So implementing zero trust at the computing and application layer starts with trying to provide granular, distributed security to these virtual machines (VMs), microservices and containers.

Tools from vendors such as Aqua Security, Capsule8, Layered Insight, NeuVector, StackRox, Tenable and Twistlock can provide container-based security. Tools like JSON Web Tokens can assist with microservices security.

Even though zero-trust security isn’t what its name implies, it will ultimately change everything.

Networking infrastructure, however, is significantly less mature. Many organizations still construct networks via a portfolio of physical devices — switches, routers, firewalls, load balancers, gateways, etc.

A critical step when implementing zero-trust security within a network infrastructure is the move to virtualization. Implementing software-defined networking in the data center and SD-WAN in the WAN provides the necessary platform to instantiate network and network security functions as VMs rather than physical devices. A firewall, for instance, might become a firewall VM in a branch-in-a-box SD-WAN device. This, in turn, enables automated and granular control of the functionality.

Getting to zero

Traditional security and networking vendors like , Checkpoint, Juniper Networks, Fortinet and Palo Alto Networks and emerging providers like 128 Technology are offering these types of virtualized products that provide granular control over individual sessions, along with dynamic reconfiguration of permissions. It’s worth revisiting both the traditional and emerging players to assess their degree of virtualization.

It’s also important to think about centralized policy when choosing a tool. Some vendors are beginning to make a toward becoming the network policy engine, providing hooks into a range of partner technologies that can implement the centralized policy. Regardless of which vendor you wish to anoint as the policy engine, it’s critical to think in terms of having a centralized policy repository from which you can make changes that ripple out to the entire infrastructure.

The bottom line? Even though zero-trust security isn’t what its name implies, it will ultimately change everything. And, when implementing it, network infrastructure is the weakest link, so pay special attention to virtualizing and securing your network infrastructure.



Source link
Based Blockchain Network

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here