Microsegmentation and Zero-Trust Security

by Ambler Jackson on May 12, 2022

Zero-trust security is much more than just a buzzword. It is a critical mindset for organizations to consider as they encounter security challenges related to the growing distributed workforce that is accessing corporate assets from anywhere and everywhere and business workloads performed in hybrid environments. To overcome the challenge of securing access to corporate assets and protecting data in this era of shifting security boundaries, organizations are adopting a zero-trust approach to security by developing the architecture to mitigate risks associated with business functions at the access point. Microsegmentation, supported by strong identity and access management (IAM), is a best practice followed by many organizations, especially those operating critical infrastructure.

Basic Tenets of Zero-Trust

The traditional security perimeter is becoming less defined. As a result, information security professionals have shifted their attention away from securing access to networks and instead focused on securing access points. The old idea of protecting the castle (corporate asset) by securing the moat (perimeter) is ineffective because corporate assets are no longer contained within a defined security perimeter.

The zero-trust model is founded on the idea that an organization should not, by default, trust users, services or devices that attempt to access their network. Instead, that access should be verified everywhere, regardless of where the access attempt originated. Every user and device seeking access to corporate resources should be met with suspicion. The phrase ‘never trust, always verify’ describes the concept of zero-trust.

The National Institute of Standards and Technology (NIST) special publication (SP) 800-207 described seven basic tenets of zero-trust. One of the most notable tenets mandates that all resource authentication and authorization be dynamic and strictly enforced. Organizations are expected to have an IAM solution in place as a foundation for a more modern and successful zero-trust architecture, including multifactor authentication (MFA).

Microsegmentation and Zero-Trust

The approach to zero-trust architecture may vary based on the organization’s business needs, but a modern system should include microsegmentation. Organizations should design their zero-trust architecture with microsegregation in mind.

Sponsorships Available

Microsegmentation is a technology used to group or segment critical assets to closely manage the users, services or devices that attempt to access these assets. Microperimeters are created around the critical assets and policies determine access to the assets. The technology is important to a zero-trust approach because it can minimize the blast radius and fallout from a successful attack.

Microsegmentation has many benefits, such as:

Greater policy-creation granularity for highly regulated data and critical systems
Secure high-value assets, such as industrial control systems (ICS) that power and control highly critical infrastructure, such as energy, oil and gas and water utilities
Provides increased visibility when there is a need to quickly identify and gather key data for forensics and incident response.

The approach to microsegmentation may be network-centric or application-centric. One of the disadvantages of using an application-centric approach to microsegmentation is that it is possible to over-segment the organization’s applications.

Modern Authentication and Microsegmentation

Organizations should only grant access to their segmented assets to authenticated users, services or devices to mitigate risks. Modern authentication is a key component of an effective microsegmentation policy to build confidence in a zero-trust environment.

Several variables determine a user’s authentication needs and journey. For example, authentication requirements may differ for a user accessing corporate resources from their mobile phone to accessing resources using their company-provided laptop while in the office. To support the various authentication needs, organizations need to establish modern authentication. Identity and access management executive Danna Bethlehem said, “Modern authentication allows for policy-based contextual access, based on risk assessments, and passwordless identity validation.” She also pointed out that “the authenticity of identities supported by modern authentication is at the core of an identity-centric approach to zero-trust security.”

According to a 2021 study, 59% of the respondents use the same password repeatedly, at home and in the office, primarily due to fear of forgetting their password. Employees who reuse passwords engage in risky behavior by making it easy for criminals to access corporate networks and data. Organizations adopting a zero-trust approach to risk mitigation can address the password reuse issue by using single sign-on (SSO) and MFA instead of having users enter a password at every access point. These methods may make gaining access to corporate resources less cumbersome or time-consuming for the end-user.

Conclusion

Strong enterprise security is essential for organizations to compete in today’s digital marketplace. To remain competitive while securing corporate assets, information security professionals are revisiting their organization’s cybersecurity strategy to adopt zero-trust. Building a zero-trust architecture around strong access management and microsegmentation will help provide the foundation necessary to create a trusted business environment.

Ambler Jackson

Ambler is an attorney with an extensive background in corporate governance, regulatory compliance, and privacy law. She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes with Bora Design about today’s most important cybersecurity and regulatory compliance issues.

ambler-jackson has 2 posts and counting.See all posts by ambler-jackson