Microsegmentation and Zero-Trust Security
Basic Tenets of Zero-Trust
The traditional security perimeter is becoming less defined. As a result, information security professionals have shifted their attention away from securing access to networks and instead focused on securing access points. The old idea of protecting the castle (corporate asset) by securing the moat (perimeter) is ineffective because corporate assets are no longer contained within a defined security perimeter.
The zero-trust model is founded on the idea that an organization should not, by default, trust users, services or devices that attempt to access their network. Instead, that access should be verified everywhere, regardless of where the access attempt originated. Every user and device seeking access to corporate resources should be met with suspicion. The phrase ‘never trust, always verify’ describes the concept of zero-trust.
The National Institute of Standards and Technology (NIST) special publication (SP) 800-207 described seven basic tenets of zero-trust. One of the most notable tenets mandates that all resource authentication and authorization be dynamic and strictly enforced. Organizations are expected to have an IAM solution in place as a foundation for a more modern and successful zero-trust architecture, including multifactor authentication (MFA).
Microsegmentation and Zero-Trust
The approach to zero-trust architecture may vary based on the organization’s business needs, but a modern system should include microsegmentation. Organizations should design their zero-trust architecture with microsegregation in mind.
Microsegmentation is a technology used to group or segment critical assets to closely manage the users, services or devices that attempt to access these assets. Microperimeters are created around the critical assets and policies determine access to the assets. The technology is important to a zero-trust approach because it can minimize the blast radius and fallout from a successful attack.
Microsegmentation has many benefits, such as:
- Greater policy-creation granularity for highly regulated data and critical systems
- Secure high-value assets, such as industrial control systems (ICS) that power and control highly critical infrastructure, such as energy, oil and gas and water utilities
- Provides increased visibility when there is a need to quickly identify and gather key data for forensics and incident response.
The approach to microsegmentation may be network-centric or application-centric. One of the disadvantages of using an application-centric approach to microsegmentation is that it is possible to over-segment the organization’s applications.
Modern Authentication and Microsegmentation
Organizations should only grant access to their segmented assets to authenticated users, services or devices to mitigate risks. Modern authentication is a key component of an effective microsegmentation policy to build confidence in a zero-trust environment.
Several variables determine a user’s authentication needs and journey. For example, authentication requirements may differ for a user accessing corporate resources from their mobile phone to accessing resources using their company-provided laptop while in the office. To support the various authentication needs, organizations need to establish modern authentication. Identity and access management executive Danna Bethlehem said, “Modern authentication allows for policy-based contextual access, based on risk assessments, and passwordless identity validation.” She also pointed out that “the authenticity of identities supported by modern authentication is at the core of an identity-centric approach to zero-trust security.”
According to a 2021 study, 59% of the respondents use the same password repeatedly, at home and in the office, primarily due to fear of forgetting their password. Employees who reuse passwords engage in risky behavior by making it easy for criminals to access corporate networks and data. Organizations adopting a zero-trust approach to risk mitigation can address the password reuse issue by using single sign-on (SSO) and MFA instead of having users enter a password at every access point. These methods may make gaining access to corporate resources less cumbersome or time-consuming for the end-user.
Conclusion
Strong enterprise security is essential for organizations to compete in today’s digital marketplace. To remain competitive while securing corporate assets, information security professionals are revisiting their organization’s cybersecurity strategy to adopt zero-trust. Building a zero-trust architecture around strong access management and microsegmentation will help provide the foundation necessary to create a trusted business environment.