Why Zero Trust and Segmentation Are Failing Some Organizations

Applications sit at the heart of any modern enterprise. They drive the creation of innovative customer experiences and support employee productivity. But as inter-app traffic has increased and environments have become more distributed, visibility, control and security have faltered. This is the new reality that segmentation-based Zero Trust approaches were made for. Yet not all segmentation is created equal.

A new report from analyst Enterprise Strategy Group (ESG) offers important learnings for enterprise IT security leaders. Here’s the bottom line: These tools should focus on the workload level, and, to avoid the limitations of traditional network-based segmentation, they should also decouple segmentation from the network infrastructure.

Why Zero Trust?

It’s been a decade since Marc Andreesen’s famous op-ed claimed “software is eating the world.” Today, scores of cloud-based applications power the typical organization, driving employee collaboration, customer loyalty and profits. According to ESG, 88% of organizations now support at least 100 business apps. But while cloud platforms have helped these businesses to develop their own software, they’ve also introduced complexity and potential cyber risk.

Traditional security tools focus on north-south traffic, or protection at the perimeter. Meanwhile, the volume of application-to-application, or east-west, traffic has soared, leading to dangerous gaps in protection. This is where Zero Trust comes in.

Zero Trust is fundamentally based around the principle of “never trust, always verify.” There are two basic and underlying assumptions: a network breach has already occurred, and users, resources and devices are not to be blindly trusted. Instead, they should be continuously authenticated, and their access to resources restricted via the principle of least privilege. When Zero Trust works as intended, it provides the foundation for a highly effective and adaptable cybersecurity fit for today’s app- and cloud-centric age.

However, as ESG’s research also reveals, many IT and security leaders mistakenly believe Zero Trust is expensive and complex to deploy from both organizational and technical perspectives. While many of these negative perceptions have their origins in market confusion and fuzzy vendor messaging, they contain a kernel of truth. ESG’s poll reveals that fully half of all who’ve had to pause or abandon a Zero Trust project in the past cite “organizational issues” as the cause.

The path to true segmentation

As ESG further explains, segmentation must be a “foundational element” of any Zero Trust project. That’s because Zero Trust is essentially about isolating networked entities so they can communicate with others only when policy allows.

The problem is, not all segmentation approaches deliver the attributes needed by today’s organizations. For example, static methods such as access control lists (ACLs) and VLANs typically lack the scalability required by a cloud-based environment. They don’t provide a user-friendly way to program and manage the thousands of ACL rules that live on network devices. They may also require networks to be re-architected—a potentially major undertaking.

According to ESG, the bottom line is this: Organizations should choose solutions that abstract segmentation from the network and are focused on the workload level. Why? Because in doing so, they can overcome these legacy challenges and ensure segmentation is as dynamic and scalable as the environment it protects.

You can read the full ESG report here.

In the second part of this two-part series, we’ll look at the five key attributes organizations are demanding from their segmentation providers, and how Illumio’s offering stacks up.