This is Part 2 of a 5-part blog series.
In the previous part of this blog series, we covered an overview of zero trust security architecture concepts. The main concept is that trust should never be assumed based on where a user is in a network. The concept of a user or device being trusted because it is inside goes away. Instead every request to access a network resource must be authenticated and authorized. For more information, please read the Part 1 Introduction post.
This post will focus on an approach to Zero Trust known as micro-segmentation of the network. This model expands on the traditional firewall approach by using Next Generation Firewalls (NGFWs) and slicing up the network into smaller and smaller segments, where access to applications and other resources can be controlled based on rules defined in the NGFW. Firewall vendors have tried to address micro-segmentation and Zero Trust by introducing Segmentation Gateways - hardware that performs various security functions within micro-perimeters.
Network micro-segmentation is the practice of dividing the network into small logical segments so that only authorized end-points can access the applications and data housed on those segments. This also provides an advantage over traditional perimeter security, as the smaller segments present a reduced attack surface for malicious actors. By micro-segmenting, an organization could, for example, control access so that only HR users located in a certain office have access to the HR applications or servers for that region.
Micro-segmentation typically uses a number of firewall interfaces configured to connect network segments into a security zone. This zone is secured with its own set of rules that allow only the permitted users, devices, and applications to access that zone. The concept of micro-segmentation isn't new, though. Enterprises have been segmenting their networks using VLANs, routers, firewalls, Network Access Controls, and ACLs for quite some time, but here the concept drives for granularity and ever-smaller micro-perimeters to keep workflows secure.
Micro-Segmented Data Center
For micro-segmentation to work effectively, it is important to define security zones tightly. Each zone has its own security controls and workflows, and typically are designed to only allow the minimum needed service. Once the firewall permits access to a security zone, traffic can flow freely from that user or device anywhere within the zone while communication between zones is typically blocked. So, the smaller and more locked the zone - the more tightly access is controlled.
One of the biggest challenges, then, is efficiently and properly segmenting the network to lock it down - yet provide access. Maintaining this in a dynamically changing environment is an ever-growing challenge as new applications, networks, users and devices are deployed.
The first part of the challenge is implementation: Who gets access to what, and what is the minimum access needed? To answer this question requires visibility into an enterprise's vastly complex network, workflows, users, locations, identity and access configurations. That visibility then needs to be translated into access policies and those policies into configuration for the firewalls, switches, routers, VPN boxes, load balancers, end user clients and applications. Beyond that, if there are multiple data centers and cloud environments all hosting different applications and supporting different needs, this must be taken into account with more boxes and more rules to configure.
The second part of the challenge becomes maintenance. As the business changes, as employees or third-parties join or leave the enterprise, as users become more mobile, or as new applications and workflows are introduced, the micro-perimeter must be maintained. This cannot only be operationally intensive, but as configurations are touched there is risk of misconfiguration or introduction of a "quick fix" of any/any to solve an immediate issue.
It's not hard to see why, in theory, micro-segmentation is a nice concept for Zero Trust, but it comes with "gotcha's" and pains that have caused some enterprises, including Akamai, to abandon relying solely on micro-segmentation to secure the network. There are still benefits to the additional layer of security micro-segmented networks provide as part of a defense-in-depth strategy. For example, network segmentation can provide a coarse level of isolation for East/West traffic within a datacenter, while North/South client application-level access can be enforced with an Identity Aware Application Proxy (IAP) or SDP solution.
As with most security architectures, there are plenty of choices and options available when designing a zero trust network; these options do not need to be mutually exclusive. A strategy around defense-in-depth along with a layered security approach, are keys to architecting scalable and secure networks built around Zero Trust.
An overview of each of these three architectures will be instructive to any organization working to map out their security roadmap. In this post we described the Network Micro-Segmentation approach. The next two posts in this series will explain two other architectures.