The combination of a largely disappearing perimeter, increased enterprise security threats, expanding threat surfaces and escalating damages resulting from breaches supports stronger overall security measures including more pervasive inspection of everything. This is the backdrop to the Zero Trust Network Architecture security model in which NOTHING on the network is trusted. This is one of the “hottest” areas as we enter 2019 and for good reasons. Zero Trust Networking (ZTN) focuses on locking down all aspects of the network; inside and outside of traditional firewalls.
The Zero Trust premise is that not a single user, device, thing, service, or application is trusted. Trust is something that is granted through the Identity and Access Management (IAM) service that has been designed to provide proper controls. Zero Trust Networking is a subset of the Zero Trust model but focused on the IP network. As we were interviewing ZTN vendors in developing our recent TechVision Research report (by Sorell Slaymaker) on this topic, I found it interesting how almost every vendor built their ZTN offering on a robust IAM foundation.
ZTN means that not a single network session from any device is allowed to be established prior to authentication and authorization. So that is the concept, but what should enterprises do to better lock down their networks?
The goal of a Zero Trust Network is to stop malicious traffic at the edge of the network, before it is allowed on to discover, identify, and target other networked devices. Zero trust networking focuses on locking down all aspects of the network, inside and outside of traditional firewalls. Getting to ZTN is just a continuation of the migration from zone-based network security models, to micro-segmentation, down to ZTN which is every user, device, service, and application.
The solution is to move to a network architecture where nothing on the network is trusted. This means that in order to route a packet on the network, explicit authorization and authentication must occur. Organizations can leverage a new breed of routing protocols that tie into directories defining what users, devices, services, and applications have access to as well as verifying identity.
That said, ZTN is much more than just leveraging an Identity and Access Management (IAM) system to validate a user or device and proving appropriate network access. ZTN is far more granular; looking to IAM to work with network routing to control where every user, device, service, application, and data are allowed to go on the network, starting at the very edge.
In the early days, the Internet architects focused on connecting anything and everything together with little consideration for security. As security became more of a focal point, firewalls were introduced to create boundaries within the Internet and between public and private networks. Additional firewalls were then added within an enterprise to further segment the network. ZTN is continuing this evolution all the way to the edge of the network where an endpoint connects to the network and passes and receives IP packets.
Zero Trust Networks as currently structured can only go so far. There is a missing link that will need to be addressed over time; that is the lack of integration between routing protocols such as BGP and Identity and Access Management (IAM) services. Routing has the intelligence to take the source device with an IP address that resides within a sub-IP-network and send the packets to the destination sub-IP-network with IP address and application. The routing rules reside within the routers that interconnect networks. While IAM can be used to get onto a network, today it is not used in determining how the packet is routed. The following figure illustrates that ZTN is combing the table of routers with the AAA policies of a directory to allow or not allow a packet to go from a source to a destination. More granular routing rules can be applied versus today’s binary rules, which can improve network performance and security controls.
There are three primary benefits of moving to a zero trust network. The first is the elimination of public and private network borders and treating all private and public IP networks with the same zero trust policy. The second is decoupling security from the underlying IP network and adding OSI layer 5 intelligence to the very edge of networks. The third is that every user, device, service, application, and data identity can be mapped to the network session creating a “security in depth” strategy that spans the entire OSI model.
Enterprises tired of applying thousands of ACLs will find that ZTN is actually simpler and requires fewer rules. The opportunity to move to ZTN easily involves the process of automating the access policies. Importing and utilizing IAM information to create dynamic routing policies on which network sessions are allowed to occur is the foundation for creating these rules.
To dive deeper into this topic TechVision offered a webinar earlier this year, by Sorell Slaymaker, the author of our research report on this topic and world-class expert on networking and security. You can register for a recording of this webinar here: TechVision ZTN Webinar
Good luck and let us know how we can help as your organization looks to lock down your networks.