Colby DyessSeptember 21, 2022
Three Ways a Zero Trust Framework Secures the Mutable Network
As CIOs demand more agility from cloud-based infrastructure that can be spun up and scaled on-demand, it is increasing complex to secure an ever-evolving mutable network with transient infrastructure and a vanishing perimeter. How can the principles of Zero Trust security better protect the modern enterprise network with users and devices connecting from anywhere to resources everywhere?
In July of this year, a startling fact was reported in Ponemon Institute’s Global Study on Zero Trust Security for the Cloud: 60% of IT and security leaders aren’t confident in their organization’s ability to ensure secure cloud access, even as adoption grows across a diverse range of cloud environments. The study also underscores the fact that Zero Trust security reduces network risks while driving meaningful efficiency and innovation across the entire IT ecosystem.
Establishing trust in the mutable network
Twenty years ago, securing the corporate network was considerably more straightforward. Resources were primarily centralized behind a well-demarcated physical perimeter (i.e., “castle and moat” model), trust was established at the network gate and users had permission to access all resources. But today this is an insecure model founded on an obsolete notion that users and networks can be isolated based on physical locations.
Today the fluctuating nature of networks means that establishing and enforcing trust is much harder. For instance, an authorized user logs in from an unknown location or a user requests access to resources that might have migrated from one cloud to another. Even for applications that aren’t being migrated on a regular basis, it's critical that governing policies remain intact. And maintaining consistent access policies is often very challenging to manage as the security tools used to protect assets on-premises are often quite different than those built for the cloud.
In this context, trust becomes further muddied as enterprises workloads shift to the cloud. According to the Ponemon cloud study, within the next three years, 90% of respondents will have adopted DevOps and 87% will have adopted containers, but modern security practices aren’t as widespread. But today only 42% of respondents say they can confidently segment environments and apply the principle of least privilege, and nearly a third of organizations have no collaboration between IT security and DevOps—presenting a significant risk.
In short, the mutable network demands a more agile cybersecurity strategy ... one for which the principles of Zero Trust are exceptionally well suited. Consider these three ways in which Zero Trust security can meet dynamic network requirements:
#1: The mutable network requires a Zero Trust least privilege access approach
Enterprise organizations must embrace a modern approach to security based on the principles of Zero Trust and least privilege access which directs organizations to challenge everyone and anything attempting to connect to protected applications and resources on the corporate network.
Under a least privilege Zero Trust approach, users gain access based on identity-centric and context-sensitive policies that are automatically and dynamically enforced. Users no longer need sign into the VPN; they just turn on their devices and are given the appropriate level of access.
Many of the headline-grabbing breaches from the past few years may have been mitigated had they adopted the principle of least privilege access to ensure network resources wouldn’t have been visible to threat actors in the first place. And even if attackers do find a way inside, a Zero Trust security framework is far better equipped to limit lateral movement and the impact of what they could do.
#2: The mutable network requires a Zero Trust contextual approach
As the age-old adage goes, “context is everything.” This is especially true in the realm of security, yet context is all too often absent when it comes to authenticating a user and granting them access to protected network resources.
If a user is attempting to access something on a network—be it an application, a resource, or a system—there are dozens of contextual attributes that can and should be considered when determining the user’s relative trustworthiness. These traits might include identifying where the end user is geographically located, the type of device from which they are trying to connect, when the device was last patched, or the relative risk-level of a specific transaction. While these discrete pieces of information on their own may not determine whether a user or transaction should be trusted, together they build a more complete picture of the user and their intentions.
In the mutable network, where resources, applications and users are continuously in motion, the ability to infer context is foundational to distinguish legitimate activity from that of a potential attack. More critically, a Zero Trust Network Access (ZTNA) framework provides contextual access to ensure that the right person, according to the correct conditions, can access the resources they need to do their job and nothing more.
#3: The mutable network demands a Zero Trust software-defined perimeter approach
Because the mutable network is itself driven by software, a software-defined perimeter is required to protect it. Having to configure an unwieldy array of network appliances manually and continually is untenable in this hyper-dynamic environment. That's why many firewall devices and cloud security groups are often configured to allow broad access. Even if a firewall is overly permissive, a Zero Trust security approach automatically restrict users and their devices from accessing the wider network.
A software-defined perimeter approach is inherently more flexible, can be easily integrated to work with legacy systems, and can be delivered via in-line software, as a cloud or hybrid service, or even on-premises. Other key software-defined perimeter attributes include the ability to enable network micro-segmentation, enforce least privilege access and apply Comply-to-Connect (C2C) rules to ensure that patches and hardened configurations are applied to devices before they ever connect to the network.
Zero Trust security is the flexible foundation for evolving networks
The flexibility of these Zero Trust attributes is critically important as network architectures become more elaborate. They reduce complexity for the user and operator and make it that much more difficult for threat actors to turn a small compromise into a full-fledged data breach.
In fact, the Ponemon report on cloud security also reveals that Zero Trust can address the security challenges of a dynamic network and accelerate an organization’s cloud transformation. Respondents that have adopted a Zero Trust strategy report that the top benefits are: increased productivity of the IT security team (65%); stronger authentication using identity and risk posture (61%); increased productivity for DevOps (58%); and greater network visibility and automation capabilities (58%).
Clearly, IT leaders will continue to pursue and embrace technologies that improve the agility and cost-effectiveness of their infrastructure. It’s also evident that a Zero Trust security approach, which applies the principles of least privilege access to enterprise resources, is the flexible foundation needed to secure an evolving network. Ultimately, Zero Trust enables organizations to adapt to changing conditions, reduce risk, ensure user productivity and innovate more quickly. And the time to get started is now.
Additional Zero Trust security resources
Guide: Zero Trust Maturity Model Roadmap
Video: Kill the NAC: ZTNA for the Corporate Network
Case study: Jellyvision Enables Secure Access Across Hybrid Environments
eBook: Securing the Hybrid Enteprise