In this series, we have considered the must-have characteristics for successfully discovering, authoring, and distributing a Zero Trust Segmentation policy. This week we conclude by taking a close look at what is necessary to enforce a Zero Trust Segmentation policy. A Zero Trust policy that doesn’t make it to full enforcement simply isn’t capable of stopping malware, ransomware or malicious actors. There are key considerations to take into account to ensure that every Zero Trust policy can be enforced quickly across the entire infrastructure – and without interrupting application function.
Be safe, not sorry
When working in existing cloud and data center environments, the first requirement is to take the Hippocratic Oath: Do no harm! All micro-segmentation solutions use agents. You need a safe one, and no inline agent is safe. Any agent that implements an inline firewall, filtering, or other security functions cannot be considered safe. If the agent fails closed, the application breaks, which is operationally unsafe. If the inline agent fails open, the security mechanism disappears, which is the definition of unsafe computing. The only safe agent technology for enforcement is an agent outside the data path. You should require a solution that keeps the rules in place, even if the vendor agent fails or is removed. Demand an agent that installs and upgrades without a reboot. Agents should run in user space. Reject anything that modifies the kernel, installs custom network adapters, or otherwise sits inline. There’s no need to reinvent something as basic as a stateful firewall when literally everything in the data center or cloud includes one.
Enforce on everything
Once you have a Zero Trust policy to enforce, the best place to put it is – everywhere! Every operating system of the last dozen years has a perfectly good stateful firewall – iptables/Netfilter and the Windows Filtering Platform. Similar technologies exist for AIX, Solaris, and even Mainframes. Network switches, load balancers, and hardware firewalls all take firewall rules. Why not use it all? Put Zero Trust everywhere and automate the policy enforcement across everything you already own. Enforcement needs to include your Kubernetes container environment, Amazon, Azure and Google Cloud instances, SaaS services, and even keeping your OT devices out of the IT environment. It’s not even worth considering proprietary vendor agents to enforce Zero Trust policies when every device already supports everything you need.
Improve speed of confidence
Zero Trust deployments proceed at the rate of confidence in the safety of the policy. After all, a Zero Trust policy requires specifying everything that is desired – all else is denied. That implies that Zero Trust policies must be perfect. How many flows are in a data center? It sounds hard to be confident in perfection across all those flows. Relax. Zero Trust Segmentation doesn’t have to be hard. Ensure that you will be able to enforce even a single service at the small end of the scale. After all, some of the most vulnerable flows are the core services and management systems that touch every machine in the environment. Many use a single port or a small range. Any good solution should be able to selectively enforce just those few ports. They are easy to define, easy to agree on, and critical to secure. At the other end of the spectrum is simply enforcing policy desires like “Keep all my DEV systems from talking to PROD, except for the following list of shared services – but limit that as much as possible”. No one is going to have perfect knowledge of all the DEV systems and all the PROD systems – it’s too dynamic and complex. But the best Zero Trust Segmentation solutions can easily define enforcement boundaries that provide this exact functionality while still preserving freedom from rule-ordering concerns or breaking policy inheritance. How fast can everyone on the team be sure that the policy is right and safe? Look for a solution that can enforce at the level of a single policy statement and at the same time enforce on broad separation goals. When both are equally simple, it’s easy to get Zero Trust policies through change control into enforcement.
Isolating cloud, endpoint, and data center systems with enforced rules is the entire point of Zero Trust. Visibility only or monitoring solutions can never be counted as Zero Trust Segmentation. A good segmentation solution will first be safe, and not rely on inline technologies that fail open or closed – putting the whole environment at risk. Enforcement should be broad-based and take advantage of all the firewalls that you’ve already paid to own, from the OS-based firewalls to the hardware and network gear sitting in racks. Getting Zero Trust Segmentation policies implemented for containers, cloud, and across the whole compute environment means that a lot of different solutions are needed, so why not use what’s already in each one? Finally, it’s important to be able to build enforcement from a single policy statement up to easy ways to segment entire environments. Fine-grained micro-segmentation proceeds at the rate of shared confidence that the systems will not be interrupted. So, a solution with highly flexible and nuanced enforcement will always deliver the fastest Zero Trust outcomes.
ICYMI, read the rest of this series: