Adaptive Segmentationmicro-segmentation October 7, 2020

Operationalizing Zero Trust – Step 6: Validate, Implement and Monitor

Raghu Nandakumara, Field CTO

This blog series expands on ideas introduced in my March post, “Zero Trust is not hard … If you’re pragmatic.

In that post, I outlined six steps to achieve Zero Trust, and here I'd like to expand on the final step, namely Valid, Implement and Monitor. I will show you how this step can support the implementation of a solid framework that can be used by any micro-segmentation practitioner to make their projects more successful, irrespective of the organization's size.

Before I begin, here’s a refresher on the six steps:


Recap- Step 5: Design the Policy

In the last post from this series, I looked at “Designing the Policy.” There, I showed how application dependency mapping identifies relevant flows:


And from here, we derived the following set of allow rules:

  • Rule 1:
    • Source: Web Server, Payments, Production, UK
    • Destination: DNS Responder, DNS Infrastructure, Production, UK
    • Destination Service: 53/udp
    • Destination Process: named
  • Rule 2:
    • Source: App Server, Payments, Production, UK
    • Destination: DNS Responder, DNS Infrastructure, Production, UK
    • Destination Service: 53/udp
    • Destination Process: named
  • Rule 3:
    • Source: Web Server, Payments, Production, UK
    • Destination: App Server, Payments, Production, UK
    • Destination Service: 8080/tcp
    • Destination Process: tomcat

Keeping in mind the principles of Zero Trust, the allow rules listed above define exactly what will be permitted – anything not explicitly permitted is implicitly dropped, thus maintaining the property of least privilege.

Step 6: Validate, Implement and Monitor

Now that you have micro-segmentation rules defined, you are ready to enforce these and protect your workloads – however, one key challenge remains. Your Payments application is in Production and you don’t want to disrupt its functionality while you ringfence it. How do you mitigate this risk?

With any segmentation effort, the stage that carries the greatest risk is enforcing the policies that have been written such that no other traffic is permitted into or out of the workloads. If the policies are wrong then there is the chance of causing a production outage. So, the move to enforcement must be controlled, and with sufficient opportunities for monitoring so that that any problems can be quickly detected and fixed.

This is where policy testing comes in. Illumio Core provides a powerful but simple way to perform this. One of the most useful features of the Illumio Core platform is its ability to move workloads (or groups of workloads) into Test mode – like Build mode, Test mode is a non-blocking mode with the added advantage that it will report on policy violations. For a workload in Test mode, the PCE will overlay the connectivity graph built using flow data from workloads, with the policy graph.

The policy graph can be thought of as putting bubbles around workloads that are allowed to communicate together over a specific set of ports and protocols. The connectivity graph shows the attempted communications between workloads.

  • Where the connectivity graph is within a bubble on the policy graph, you get green lines – these are flows that match policy we have authored.
  • Where the connectivity graph crosses the bubble on the policy graph, you get red lines – these are flows that do not match an authored policy.

In Test mode, these ‘red’ lines, while not blocking any flows, indicate where we have connectivity attempts that are in violation of policy. As an application owner, these are the flows you review, and your choices are:

  • Flow is required -> write policy to turn line green
  • Flow is not required -> no need to take any action

So, the policy validation process requires iterating through all of these ‘red’ lines to determine whether they need to be turned green. Once you have reviewed all of these ‘violations’ and made your choice, you are ready to start protecting the workloads – our validation process is complete, time to Enforce.

Keeping in mind that the purpose of the Validate, Implement and Monitor phase is really to minimise risk, you ideally do not want to take a ‘big bang’ approach to enforcing policy on your workloads. Despite the detailed validation you may have already done, you’ll still want to take incremental steps in this final phase. Again, the granular control Illumio provides on workloads allows exactly this. Each workload in an application can be moved individually to Enforced mode – this means that once you have a fully validated policy, you can select which workloads you want to enable full protection on first, let those run with the policy enforced (i.e. only traffic permitted by policy is able to ingress / egress the workload) and move the other workloads to an enforced state after some ‘soak time’. The advantage of this approach is that should there be any issues with the policy, it will only affect a small set of workloads rather than the entire fleet – and it provides yet another opportunity to fine tune before enabling for the entire application.

Now that our workloads are all enforced, and the application is protected, the task at hand is to continuously monitor traffic events for anything unexpected – drops and accepts – and investigate anything that is outside the normal.

Wrapping Up

So, there we have it, a walkthrough of the six steps in a pragmatic approach towards Zero Trust. As Forrester’s own publications state, Zero Trust is not an outcome of itself but a security strategy, and each organisation needs to understand its own maturity across the Zero Trust pillars, identify which pillars need most focus and take incremental steps to improve that maturity. Illumio is a leading ZTX Ecosystem Platform provider and offers a complete capability set to take these steps in the areas of network and workload visibility and security.

Missed the parts of my Operationalizing Zero Trust series? Here are steps 1-5:

And for more on Zero Trust, visit our solution page to learn how you can get started on your journey today.

Adaptive Segmentationmicro-segmentation
Share this post: