Journey from East to the West
Zero Trust network architecture
“It was: Once you log into the network, you’re trusted. But zero trust is about validating all along the way. That is a big change,” says Carmichael, director of strategy, risk, and compliance advisory at Momentum Technology and a member of the Emerging Trends Working Group at professional governance association ISACA.
Mary K. Pratt for CSO Online
Zero Trust Networks
When we want to implement a zero-trust security posture we need the ability to challenge a user as they move to different resources or zones within our systems. NIST 800-207 outlines what a zero-trust network architecture looks like.
1. The entire enterprise network is not considered an implicit trust zone.
This is the first step in the zero-trust security posture. Just because we are authorized in the network does not mean we are trusted.
There are many different approaches, but I want to focus on the micro segmentation or 3.1.2 in NIST 800-207.
An enterprise may choose to implement a ZTA based on placing individual or groups of
resources on a unique network segment protected by a gateway security component.
NIST 800-207
Protection assets with East-West Firewalls or micro segmentation of the network provide some advantages to software-based systems.
1. They are robust
2. They are simpler to manage than software in many cases
This should not be done with legacy or sub NGFW systems due to the cost and complexity. Instead, we build out smaller networks or host-based firewalls all tied to identity management. We then use groups or individual access to those systems with the challenge of the identity management happening on each layer being accessed. Pass through is assumed here as that’s a lot of typing in your password otherwise. Then you can provide MFA say to core databases or ‘crown jewel’s’ assets within these systems. What you have then is a network that sustains access even if a new server is deployed. Assets deployed into this system with ZTA underlying it and embedded within it are protected as the ZTA is ‘baked in’
When you are going from the application server to the database there is not an assumption of trust but rather a ZTA barrier in the network with identity controls in place. Your environment is ZTA by design and this simplifies the program once in place. This is the East-West firewall. It is not considering your North-South access into and out of the network but between networks. VLANs with teeth is a phrase I sometimes use to describe this.
Black Cloud vs. Micro Segmentation
So yesterday we were talking about SDN or software-defined networking for control of access. This is a more mature East West system which relies on well defined systems and the ability to apply controls to them. In many organizations on the road to ZTA posture there are struggles with definition. Once of the advantages to ZTA in network architecture is that is helps on the journey towards enhanced compliance. However, if an organization has many legacy systems and technical and security debt a ZTA network with a robust NGFW will be simpler and quicker to implement.
Citation
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf