By Chris Yates, Critical Start
Adoption of zero trust and micro-segmentation as core design principles can help improve the security posture of your network and attached systems. However, it is important to understand how we got to our current state to understand how these principles can help us.
First, a quick review of current network security architecture. Many organizations have adopted some variation of a zone-based model for network security. The most prevalent model is composed of some combination of four security zones: Untrusted/Internet, DMZ, Trusted/Internal, and Restricted (PCI/etc.). The basic principle is to separate resources into the appropriate zone, and only allow traffic to traverse the zone boundaries through one or multiple security controls, including a firewall. Unfortunately, although there has been fairly wide adoption of the Internet/DMZ/Internal model, the majority of organizations have not implemented internal segmentation despite best practices, as many compliance frameworks prescribe it.
The supporting technical infrastructure underlying the security architectural model is often partly to blame for the lack of internal segmentation. The most prevalent network architectural model is hierarchical, which restricts the placement of network security controls to layer 3 subnet boundaries. Combined with the fact that most existing security controls are hardware based, it is no surprise that little progress has been made in this space. Further contributing to this problem is the historical use of the operational model in many organizations that separates the network personnel from the network security personnel.
The resulting lack of adoption of internal segmentation controls and visibility tools provides a means by which the compromise of any given internal resource can be utilized to pivot and attack other internal resources with little limitation of mobility or access. Limited visibility also results from this legacy approach, which allows attackers considerable time before an attack is noticed and action can be taken. Reliance on host-based security controls is usually the methodology employed to mitigate some of this risk.
However, there now exist capabilities to virtualize compute, storage, and network resources. Organizations are virtualizing their infrastructures into private, public, and hybrid cloud architectures. Those same organizations are also changing their operational model to support converged infrastructure teams. How can security teams become a part of this effort, helping to virtualize and distribute the security controls as well?
According to Forrester Research, Zero Trust provides one component of the architectural framework that can be inserted into the broader guiding principles for technical architecture, and micro-segmentation provides another. Zero Trust is based on three main principles:
- All resources are accessed in a secure manner regardless of location
- Access control is on a “need to know” basis and is strictly enforced
- Inspect and log all traffic – from any source to any destination
Segmentation has been a part of the ongoing maturity of network architectures. We moved from shared hubs, to switches, as technology matured and started to utilize network virtualization. We shrunk the collision domain to two participants (the switch and the end node) and provided a huge jump in capabilities and performance. Micro-segmentation for security purposes does much the same thing – it separates the security visibility and control domain into two participants – the end node and the security control. To accomplish this, the security controls must be distributed, and must have enough performance to not inhibit the performance of the system while still achieving the security objective.
The broad adoption of virtualization and Infrastructure as a Service (IaaS) such as Amazon Web Services, Azure, and vCloud air, among others, is providing a capable platform to integrate Zero Trust and micro-segmentation into technical architectures and design principles. We can now truly have a distributed firewall that can control traffic and provide rich visibility at the host level. In their book, “Micro-segmentation For Dummies,” Lawrence Miller and Joshua Soto point out that vendors are also evolving their distributed firewall controls to facilitate a cohesive micro-segmentation design in private, public, and hybrid cloud architectures.
The challenge is to design a network that contains security controls in the right places. There are solutions that can help overcome this challenge, which requires integrating of these security controls into the larger discipline of providing services to the business. Here are a few considerations:
- Security teams must insist on a place at the architecture and engineering tables. Security controls must become a part of the converged infrastructure, and security teams need to become a part of the larger converged infrastructure teams. This can only be done when the security leadership is able to make a risk-based business case that providing services required by the business that include security services in addition to the rest of the infrastructure stack. Once the business understands that security is just as important as infrastructure, then the budgetary and political struggles sometimes encountered by security teams suddenly cease to be significant obstacles.
- Network, systems, storage, and security personnel must work together to figure out how to get applications to work with security controls in place. This requires infrastructure and security teams to have true test and development environments that include the same security controls that the production environments do. Implementation and development processes must consider security requirements as a part of the process. Organizations have become comfortable with a methodology that implements first, and then asks security teams to secure the environment after it’s implemented. This simply does not work, and frequently results in a production environment that has not been properly secured. The risk of causing a service interruption due to the implementation of a security control becomes the driving consideration and the security controls never get implemented.
For organizations able to move past these two challenges, security teams can begin integrating tighter controls into a converging architecture. Doing so will help your organization overcome network architecting challenges.
About the Author
Chris Yates is a Senior Security Architect at Critical Start, a provider of cybersecurity solutions. Chris has more than 25 years of IT experience, including a decade focused on Information Security. As a Department of Defense employee, he spent 14 years in the public sector. In the private sector, his experience spans the transportation, electric utility, and healthcare industries. A recognized speaker at regional and national security conferences, Yates has delivered insights on security architecture, the security impacts of converged infrastructure, and next generation security tools. He also teaches networking and network security at Southern Nazarene as an adjunct professor.