Adaptive Segmentationmicro-segmentation July 7, 2021

Achieving Zero Trust Outcomes On Endpoints and Servers with Segmentation

Nathanael Iversen, Chief Evangelist

Users are the reason our data centers and cloud environments are full of containers, virtual machines, and servers of all kinds. We enter data, retrieve it, process it, analyze it, and share it to do our daily work. In the past two blog posts, we’ve looked at how to separate environments and how to secure core and management services. This week, we step outside the data center to explore how to protect the users and devices that power our organizations. We will consider how Zero Trust Segmentation eliminates peer-to-peer spread of malicious software and controls access to cloud and data center assets, as well as the important role of identity to determine access.

Eliminate Peer-to-Peer Spread

Zero Trust principles specify that only necessary communications pathways should be open. In contrast, ransomware expects to find unnecessary paths open. When ports like RDP or SMB are needlessly open between endpoints, off-the-shelf ransomware can traverse, even at massive organizations, in seconds. Zero Trust Segmentation stops lateral movement, closes peer-to-peer ports, blocks unused service ports, and limits core and management services to only the correct servers. This eliminates the vectors that malware typically uses to get from one machine to the next. With Zero Trust Segmentation in place, an infection can be contained, detected, and eliminated before the entire organization falls victim.

Control Access to Cloud and Data Center Assets

Most users spend their time switching between a relatively small collection of applications compared to the great number of systems and services the enterprise has in the cloud, data center, and SaaS providers. So, Zero Trust principles tell us that they should only connect to the services to which they are authorized. Zero Trust Segmentation ensures that users connect only to this narrow set of resources. This eliminates huge amounts of potential attack surface. When taken across an entire user population, often hundreds of thousands or even millions of possible attack vectors vanish, no longer available to transport malicious software. When added to the peer-to-peer controls and the data center controls we’ve mentioned in previous weeks, Zero Trust Segmentation radically reduces the potential for a breach to spread across an organization.

Tie Zero Trust Policies to Identity

Zero Trust Segmentation works best on endpoints when tightly bound to user identity. Inside the data center, micro-segmentation solutions all rely on labels and metadata to identify servers. For the users, their name and corresponding group membership in Active Directory forms the root of trust. As they log in, Zero Trust Segmentation will then look up the corresponding permissions. Automation calculates the correct rules and access and distributes those rules to the endpoint and to the cloud and data center systems for enforcement. In this way, inbound and outbound policies provide universal enforcement. The endpoint controls what it sends and receives, and the central servers do the same. In this way, Zero Trust controls cover the entire organization. When the user logs out, the access is removed, ensuring that no one else can try to use those open ports by spoofing access. Zero Trust Segmentation ensures that both servers and endpoints communicate in only the limited and narrow ways they must. When tied to user identity, communication only occurs while logged in and connected.

Universal Enforcement

When endpoint machines take on the permissions of the user sitting at the keyboard, location no longer matters. A laptop sitting in the corporate network or at home over a VPN should still be restricted to only the appropriate destinations. Zero Trust Segmentation enforces the policy at the user laptop, the data center server, and even on intermediate infrastructure devices like load-balancers, network switches, and firewalls. Zero Trust Segmentation works over VPN connections as well, eliminating the concerns most organizations have about full network access or the lack of effective identity controls at an application level. Choosing a Zero Trust Segmentation solution that uses all the available enforcement points offers a superior solution to any propriety agent-based solution. The best place to enforce a user policy or a server policy is everywhere!

 

Zero Trust Segmentation protects user endpoint devices from compromise and ensures that they don’t become the source of compromise for other systems. Close unused and unneeded ports on each device, and you can eliminate peer-to-peer spread. Close unused and unneeded ports into the data center, and you can radically reduce the potential for any vector to spread from the user edge to the server core. But Zero Trust Segmentation doesn’t stop there – access policies include the user identity and are only active during valid login sessions. When the user logs out, permit rules are automatically removed. Universal enforcement puts the Zero Trust policy everywhere: the user endpoint, servers, infrastructure, container hosts, and even the cloud. In this way, maximum protection accompanies the user wherever the endpoint device goes and simultaneously protects the servers. Zero Trust Segmentation brings automatic enforcement and granular controls to many leading organizations.

Learn more about how you can quickly get Zero Trust outcomes for your endpoints and servers.

Adaptive Segmentationmicro-segmentation
Share this post: