Why Policy Matters for Zero Trust
The idea of least privilege isn’t new, and neither is the idea of keeping devices separate on the network in service of least privilege. After all, every firewall comes out of its shipping container with a default rule – “deny all” – inviting the creation of a least-privilege policy. And so, for the last 15 or 20 years, we have been dutifully entering more and more permit and deny statements into perimeter firewalls. Most organizations now have so many of these statements that it takes teams of highly skilled administrators to manage them, and the complexity has exploded in recent years.
The problem (times 3)
Now, Zero Trust prescribes that we return to least privilege. Only this time, not at the edge, but on every workload, every user, every endpoint. How feasible is this? Every year Cisco publishes a detailed survey of enterprise networks, and it provides a simple approximation for us to consider. In 2020, 73% of traffic occurred “east-west” – that is between systems in the data center – and about 27% went through the perimeter. The existing perimeter firewall rules, therefore, cover 27% of the traffic.
The clear implication is that creating a similar policy for the other 73% of traffic is roughly three times the work, three times the rule complexity, and three times the number of people. And that is the problem. No one can spend 3x, hire 3x, and configure 3x the complexity. Those who have tried to bend an SDN solution into serving this task or have tried to deploy virtual firewalls know that it just doesn’t work.
Any vendor that proposes Zero Trust has to solve this conundrum. It’s not credible to assert that a Zero Trust outcome is achievable without dealing with the operational reality of the immense task at hand. Anyone shopping for a Zero Trust outcome needs credible proof of the ability to meet the cost, operational complexity, and human resource components for successful implementation.
We don't need more places to enforce policy
When firewalls first entered the network, they were the only device capable of blocking and restricting traffic at scale. But today, achieving Zero Trust micro-segmentation isn’t an enforcement point problem. Every modern operating system in the data center from Windows to Linux – even including AIX, Solaris, and System Z (mainframes) – has a well-implemented stateful firewall in the kernel forwarding path. Every network device, from routers and switches to firewalls and load balancers, can take firewall rules.
In fact, it is the case that pretty much every network-connected device in the data center has some access control capabilities. This implies that no one needs to buy pallets of firewalls to implement Zero Trust. The enforcement points are already available. This means that the cost to implement Zero Trust will be felt almost entirely in the area of configuration complexity. After all, the number of people needed derives from the amount of work to do.
Policy management determines Zero Trust outcomes
We conclude, then, that policy is the single most important factor in a Zero Trust deployment. The achievability of any Zero Trust goal will depend on how easy or hard it is to discover, author, distribute, and enforce policies.
Vendors like to talk about their features and to show pretty user interfaces, but in the end, the only thing that matters is how well they simplify, reduce, and automate the policy management work inherent in a Zero Trust micro-segmentation initiative.
Before anyone can write a Zero Trust policy, you first need to know all the relevant communication flows and how the application in question functions: how it depends on core services and the users and other devices to which it connects. This is policy discovery, and it’s more than a pretty picture of an app in a bubble. Ultimately, you need all the necessary information to successfully author the Zero Trust policy.
Authoring a policy has to eliminate the burden of translating human desire into IP addresses. It needs to use metadata to simplify, scale, and inherit policy to reduce the authoring burden. Once you have a policy written, you need a way to distribute it to the enforcement points that already exist. How do you keep all of the policies up-to-date and automatically tracking with application automation? If you can have moves, adds, and changes all accounted for, the workload decreases on your administration team.
Finally, policy enforcement ultimately depends on the ability to validate and develop confidence in the proposed policy. Firewalls don’t have any modeling capability. But it isn’t enough to “permit and pray.” You need the ability to know that the policy is accurate, complete, and won’t break the application – and to be able to communicate that to all stakeholders.
Knowing what is important for Zero Trust policy management is the same as knowing what it takes to deliver a Zero Trust or micro-segmentation project. Operationalizing fine-grained segmentation will proceed at the rate determined by our human ability to discover, author, distribute and enforce the policy. When effective and efficient policy management exists, the personnel requirements decrease proportionally. So it is clear that the most important factor in operationalizing Zero Trust is dealing effectively with the policy complexity required to tighten segmentation controls. Since it is so important, we will consider policy management in great detail in upcoming blog posts.