Establishing A Zero-Trust Infrastructure

By Tony Tanzi ·

When looking at a security posture, the main concern is usually about blocking a potential attacker who sits outside our network from getting inside our network. This is often referred to as perimeter defense. While this is a very important security issue to be concerned with, it is not the only one.  There is a new paradigm to be concerned with and this is protecting your sensitive data from a potential breach from the inside.  This new paradigm is the ability to create a ‘zero trust’ infrastructure.  This means that there is no default trust for any entity on the network. This includes users, devices and applications. By establishing ‘zero-trust’ boundaries, you are in essence compartmentalizing segments of your network. This compartmentalization allows you to positively control who has access to critical resources. It also can allow you to control the user access, applications being used and scanning for any potential threats as the user accesses the resources you are allowing them access to.  This is just another step in reducing the exposure of vulnerable systems, and prevent the lateral movement of malware throughout your network.

Some of the concepts around a ‘zero-trust’ networks are the ability to provide secure access to the network, this means via a remote VPN session or having to authenticate to access the network. Another piece of the ‘zero-trust’ network is the ability to inspect all traffic. This inspection should be done at the application level so that we don’t run into issues such as application port hopping. The goal here is to provide the designated users with only the required access to perform their job function. One of the most important pieces to a ‘zero-trust’ network is the ability to perform advanced threat protection. This allows us to perform another layer of defense for things like malware spread. Possibly the most important piece in building a ‘zero-trust’ network is for the security device to have a very high performance level as to not become the bottleneck in the network.

Another concern is the ability to identify devices and guest users that access our wireless networks. The ideal solution would allow us to identify the user and their device as they attached to the wireless network and have the authentication device update your security platform with this information so that we can track and log this guest user activity.

Once this ‘zero-trust’ network is established, you can prevent things like the exfiltration of sensitive data by someone who possibly should not have access to this sensitive data.  Also the ability to contain the spread of Malware throughout the network. This ‘zero-trust’ network may also help in meeting specific compliance recommendations.