firewall, you’re fired! - 128 technology · layers of security measures at multiple levels:...
TRANSCRIPT
Firewall, You’re Fired!How Zero Trust Security is Disrupting Network Security Architectures
Analyst White Paper
WRITTEN BY NEMERTES
BROUGHT TO YOU BY 128 TECHNOLOGY
©NemertesResearch2018www.nemertes.comDN7067 1
Johna Till Johnson CEO and Founder John Burke CIO and Principal Research Analyst Nemertes Research
Firewall,You’re Fired! How Zero-Trust Security is Disrupting Network Security Architectures
Q3 2018
©Nemertes Research 2018 www.nemertes.com DN7067 2
TableofContents..........................................................................................................................2
ExecutiveSummary.......................................................................................................................3
TrendsandBackground.................................................................................................................4
SecurityNow............................................................................................................................4
LimitationsoftheCurrentApproach.......................................................................................4
ZeroTrustOverview......................................................................................................................5
ZeroTrust:TheBasics..............................................................................................................5
TheImportanceofAutomation...............................................................................................7
ZeroTrustandtheNetwork...........................................................................................................8
Automated,CentralizedPolicyManagement..........................................................................8
DeepSegmentation.................................................................................................................8
NestedSegmentation............................................................................................................10
End-to-EndStatefulSessionManagement............................................................................10
IntegratedEncryption............................................................................................................11
VirtualizationandConsolidationofNetworkandSecurityFunctions...................................11
SecureRoutingFabrics...........................................................................................................11
BusinessValueofZero-TrustSecurity...........................................................................................12
ImprovedRiskMitigationandSecurityPosture.....................................................................12
ReducedCosts:CapitalandOperational...............................................................................12
ImprovedAgility.....................................................................................................................12
Conclusion....................................................................................................................................13
Table of Contents
©NemertesResearch2018www.nemertes.comDN70673
Executive Summary MostCISOshaveheardaboutzero-trustsecurity.Leading-edgedigitalnativeorganizationsincludingGooglehavere-inventedcybersecurity,andintheprocessupendedourmostcherishedbeliefsabouthowtoprotectdata,applications,andtherestoftheenterpriseenvironment.Zerotrustrelieson—demands—adeeperlevelofknowledgeofsystemsanddata,sothatitispossibletoputmeaningfulboundariesaroundsystemsanduserseverywhere.Thenetworkisstillhugelyimportanttoimplementingsecurity,butinsteadofafewbarriersatvariousnetworkchokepoints,thefocusisoncentrallymanaged,policy-driven,deeplysegmentedcommunications.Largethreatsurfacescreatedbycomplexsecurityrulesetsarereplacedbymanysmallersurfacescontrolledbysimplerrules,easiertounderstand,plan,create,andmaintain.Networksecurityinteractswithandreinforcessystemanddataprotections.Zerotrustthereforeupendsourbasicunderstandingofhowbesttoprotectdata,systems,andusers.Itrequiresaradicalre-thinkingofnetworks,includingtheroles—andeventheexistence—ofconventional,separaterouters,firewalls,DDOSdefenses,networksegmentationsolutions,andallotherfamiliarnetworkelements.Securityfunctions,increasinglyvirtualizedandmodularizedintheformsofvirtualappliancesandvirtualizednetworkfunctions,areimplementedthroughouttheinfrastructureasneeded.Zerotrustalsoplacessecurityautomationattheheartofsecurityoperations,andbringswithitallthebenefitsofautomation:reliability,agility,andscalability.Itdoesallthiswhilereducingbothcapitalandoperationalcostsonthenetwork,throughvirtualizationandconsolidationofnetworkappliances.Italsoenablesvirtualizedsecurityfunctionalitytobeembeddedintonetworkfunctionssuchasrouters—makingthenetworksecurefromwithin.Finally,zerotrustalsodrivesreducedoperatingcosts,especiallybyeliminatingorsimplifyingandautomating,managementandmaintenancetasks,allatreducedcostsandwithreducedrisks.ITprofessionalsshouldimmediatelyexploretheopportunitytoembracezerotrustintheirenvironments;identifywheretobeginimplementingzerotrustprinciples;seektechnologiesthatcanhelpthemimplementcoordinated,integratedprotectionsarounddataandsystem,andwithinthenetwork;buildabusinesscaseforzerotrustinthenetworkaroundcostreductions,riskreduction,andagility.
©NemertesResearch2018www.nemertes.comDN70674
Trends and Background
Security Now
Howgoodiscybersecurityatmostorganizations?Notvery.Ittakesthetypicalteammorethanamonthtodetectthatananomalouseventhasoccurred,understandwhethertheeventrepresentsanattack,andresolvetheattackbycontainingcompromisedsystemsandprotectingtherestoftheenvironment.(PleaseseeFigure1).
Figure1:TypicalSecOpsResponseTimes
However,themostsuccessfulcompanies—theoneswhocandoalloftheabovethefastest—arenotjustalittlebetter;they’realotbetterthantheirless-successfulpeers.Themostsuccessfulcandetect,understand,andresolveinanaverageof2.3days,vsmorethan132daysfortheleastsuccessful.(Note:ThisdatacomesfromNemertes’2017-2018SecurityandRiskManagementResearchStudy,comprising625organizationsin12countries).Theverybestperformers—thosethatplaceinthe99thpercentile—candoallthisinamatterofminutes.Whatdifferentiatesthegroupsthatperformthebest?Amongotherthings,theyareadoptingazero-trustapproachtosecurity,aswediscussbelow.Byembeddingsecurityfunctionalitywithinandthroughoutthenetwork,they’reabletodeploypolicy-basedautomationtodetect,understand,andresolveissuessignificantlyfaster.Limitations of the Current Approach
Inmostcompanies,thenetwork’ssecurityarchitectureconsistsofpoorlycoordinatedlayersofsecuritymeasuresatmultiplelevels:AccessControlLists(ACLS)inedgeandbackboneswitches,coupledwithcomplexandever-growingrulesetsinperimeterfirewalls,corerouters,anddatacenterswitches.Asthedatareveals,thisapproachisn’tworking.Thethreatuniverseismovingfasterthancompaniesareabletorespondwiththetraditionalarchitecture.Theperimeter-only
©NemertesResearch2018www.nemertes.comDN70675
approachisdemonstrablyfailingtopreventdatabreaches(checktheheadlinesofanymajornewspaperforthebreachdujour).Companies’inabilitytoquicklyandeasilymanagesecuritypolicies,segmentation,encryption,andcomplianceresultsinanescalatingbusinessriskintheformofbreachesandcompliancepenalties.Andtheinabilitytosegmentthenetworkfabricacrossdistributedenvironmentsattherightlevelofgranularitymeansvaluableassetsareincreasinglyunprotected,andleadstocomplianceconcernsbecauseofinadequatenetworksegmentationacrosslinesofbusiness.Technologylimitationsaren’ttheonlyproblem.Theproliferationofpoliciesanddevices,allmanagedthroughtedious,error-pronemanualprocesses,consumesexpensive(andincreasinglyscarce)labor.Worse,it’sincreasinglydifficulttoretainstaffinsuchanenvironment:Cybersecurityprofessionalsdon’tappreciatedoingsenseless,repetitivework,andinthecurrentjobmarket,arehighlylikelytojumpshipformoreattractiveopportunities.Theupshot?Companiesarecomplainingaboutskyrocketingsecurityexpenses(bothcapitalandoperational),whileatthesametimebeingunabletodeliverthe“tablestakes”ofasecure,effectivelymanagedinfrastructure.Asnoted,responsetimesarefartoohigh(overamonthtodetect,understand,andrecoverfromabreach),andtheimpactofthissluggishandineffectiveresponseismakingitselfknownintheformofanincreasednumberofsecuritybreachesthataffectrevenue,customersatisfaction,andbrandequity.Thesolutionistomovefromaperimeter-basedapproachtoonethatembedssecuritythroughouttheinfrastructure,deliveringafabricthatcanbegranularlysegmented(anapproachwecall“deepsegmentation”)basedoncentralizedpolicy.Inshort,thesolutionrequireszero-trustsecurity.Zero Trust Overview
The Basics
Thezerotrustsecuritymodelcamefromtheworldofhyperscalersandwebgiants,especiallyGoogle,whichimplementedin2009anapproachthatsubsequentlybecamenamed“zerotrust.”Thekeyconceptisthatnothingintheenvironmentshouldbeconsidered“trusted.”Everyuser,system,application,codecomponent,datastore,andnetworkorinfrastructuredeviceisconsidered“untrusted”untilithasauthenticateditselfandvalidateditsrighttoaccessorconnectwithanotheruser,system,application,codeordatacomponent,ordevice.Thatsoundsreasonable,butithassomeprettysignificantimplications.Foronething,itforcestheenterprisecybersecurityteamtomaptheenvironmentatanunprecedentedlevelofgranularity,sothatitcancreateahighlygranularsetofpolicies.Thechallengeofdevelopingthesepoliciesisonereasonthatcompaniesaretakingawhiletoimplementzero-trustsecurity:Just28%ofsuccessfulorganizations,and22%ofless-successfulones,haveimplementedthisapproach.(PleaseseeFigure2.)
©NemertesResearch2018www.nemertes.comDN70676
Figure2:ZeroTrustAdoptionbySuccess
Evenmoresignificantly,thezerotrustmodelmakesperimeter-basedsecurityobsolete,therebyradicallychangingtheroleofthefirewall.Thisisamajorchange.Sincenetworksecurity’sinceptionintheearly1990s,thefirewallhasbeenthelynchpinofsecuritymodels.Themodelowesitsoriginstomilitarystrategyandisbasedontwofundamentalassumptions:everythingoutsidethefirewallisuntrusted,andthereforepotentiallydangerous;everythingwithinthefirewallistrusted,andthereforeunlikelytocauseharm.Unfortunately,theseassumptionsaredemonstrablyfalse,andbecomingmoresoovertime.Insiderscangorogue,andcauseharm(insiderthreatisagrowingprobleminmanyorganizations).Internalsystemscanbe(andoftenare)compromisedbysophisticatedattacks,meaningthatthesesystemsthemselvescanserveasthelaunchpadforfurtherattacks.And,theneedsofnewapplicationarchitectures,newservicedeliverymodels,useofpublicclouds,andintegrationamongpartners’systemscausethetypicalenterprisetocontinually“pokeanotherhole”inthefirewalltoallowcommunicationstoflow.Inadditiontoblurringtheinside/outsidedistinction,thismakesfirewallrulesetsenormouslycomplicatedanddifficulttomaintain,andchangestothemchallengingtotest.Asthedistinctionbetween“trustedinside”and“untrustworthyoutside”disappears—indeed,thewholenotionoftrustedinsidedisappears—theroleofthefirewallchangessignificantly.Itnolongerservestokeepthebadguysoutandshieldthegoodguyswithin.Instead,theroleofthefirewall—andofthenetworkoverall—shiftstogreen-lightingonlycommunicationswherethesenderisallowedtosendtothereceiverinthespecificwayitissending(byportandprotocolandothercriteria),andthereceiverisallowedtoreceivefromthesenderinthatsamespecificway.
©NemertesResearch2018www.nemertes.comDN70677
Thismeans,inturn,thatenterprisesthatembracezerotrustaremovingawayfromthetraditionalfirewall-centricmodel.
Figure3:ZeroTrustDrivesShiftsinFirewallArchitecture
Inparticular,zero-trust-focusedcybersecurityorganizationsaremovingawayfromtraditionalphysicalfirewallmodel,inwhichthere’saphysicalfirewallatall,ormost,networksites,towardsacentralizedplusvirtualizedapproach.Theprimarydriverhereistoensurethatfirewallstreattrafficconsistently,insteadofviathead-hocapproachdescribedearlier.Withaphysicalnetworkofdistributedfirewalls,eachmustbeconfiguredindividuallytoconformtopolicy.Althoughnetworkengineerssometimesautomatethisconfigurationsoitdoesn’thavetohappenmanually,it’sstilldifficulttoscale,andpronetoerrorsthatcanintroducevulnerabilities.Everydevicetendstohaveauniqueconfiguration.Itcanbeverydifficulttotellwhetherachangeinconfigurationisnecessaryandintentional,orisaccidentaldriftfromthedesiredruleset.Itcanalsobedifficulttobalancelocalvs.centralcontrol.Intherapidlyrisingvirtualizedapproach,thefirewallfunctionalityisimplementedassoftwareinothernetworkelements.Withvirtualfirewalls,configurationismoreoftenautomatedbydesign,andmanagedcentrally,whiletheworkoftrafficfiltrationisspreadfurther.Spreadingtheworkfurtherdecreasesthecapacityrequiredoneachfirewall,andputscontrolatmorepointsinthenetwork.The Importance of Automation
Zerotrustadoptersaresignificantlymorelikelythantheirnon-adoptingcounterpartstohaveanexplicitfocusonautomatingsecurityprocesses,ortohavefullyautomatedtheseprocesses.(PleaseseeFigure4.)Thoseslowertoadoptzerotrustaremorelikelytoautomatesecurityfunctionsonanad-hocbasis(suchaswritingscriptsforfirewallconfiguration).
0.0%$
46.0%$
24.0%$
30.0%$
8.0%$
17.8%$
35.5%$
29.0%$
17.8%$
11.2%$
No$firewalls$
Centralized$
Distributed$
Virtualized$
CloudAbased$
Firewall$Architecture$$
Zero$Trust$NonAAdopters$
Zero$Trust$Adopters$
©NemertesResearch2018www.nemertes.comDN70678
Figure4:SecurityAutomationDifferencesBetweenAdoptersandNon-Adopters
Zero Trust and the Network
Automated, Centralized Policy Management
Oneofthemostsignificantbenefitsofzerotrustsecurityisitsdrivetowardanetworkmanagedandprovisionedholisticallyviacentralizedpolicymanagement.Thegoalofautomated,centralizedpolicymanagementistoshrinkthegapbetweenwhatthenetworkshoulddoandwhatitactuallydoes.It’sonethingtohaveapolicystating,forinstance,thatalltrafficfromdeviceXonportYshouldbeprohibitedfromreachingserverinstanceZ—andanentirelydifferentthingtoconfigureeachandeverynetworkdeviceineverypotentialtrafficpathtodeliveronthatpolicy.Withautomated,centralizedpolicymanagementthethoughtbecomesthedeed:Oncethepolicyisdefined,everyapplicabledeviceinthenetworkinstantiatesit.Andwhenpolicieschange(astheymust,tostayeffective)thecentralpolicyengineautomaticallypushesupdatedpoliciesouttopolicyenforcementpoints.Obviouslythat’snotthecasetodaywithmostnetworks,butasthezerotrustmodelmovesintothemainstream,theabilitytosupportautomated,centralizedpolicymanagementbecomesanincreasinglycriticalselectioncriterionfornetworkdevices.Deep Segmentation
Asnoted,withtheimplementationofthezerotrustsecuritymodel,theroleofthenetworkshiftsfromprovidingunfetteredconnectivitytopermittingonlythatconnectivitythatisexplicitlyapproved,basedonpolicy.Thismeans,inanutshell,thattheconceptof“thenetwork”(thephysicalnetworkitself)isreplacedbymultiplelayersofvirtualnetworks,eachofwhichcomprisesasmallcircleofassetsthatcantalktoeachotherinspecificways.Wecallthisapproach“deepsegmentation.”ThisapproachissimilarinconcepttovirtualLANs(VLANs).Thedifferenceisthatitis
©NemertesResearch2018www.nemertes.comDN70679
intendedtopartitionnotjustalayer2network,asVLANsdo,butthewholenetworkfromendtoend,evenifitiscrossingIPboundaries(routers,firewalls)andsocannotbeachievedwithEthernetpackettagging.Itrequirestheparticipationofnetworkcomponents,physicalorvirtual,atbothendsoftheconversationandpotentiallyatintermediatepointsaswell.(PleaseseeFigure5.)
Figure5:DeepSegmentationLogicallyPartitionsAcrossNetworks
Withtraditionalnetworktechnology,networkandsecurityengineersneedtodevelopandmaintainalistoftrafficpatternsthatrepresentattacks.AlthoughAIandmachinelearningtools(suchasbehavioralthreatanalyticssystems)canautomatethisprocesstoaconsiderabledegree,itstillrequiresoperatorstothinkintermsof,“Whatdoesanattacklooklike?”Inotherwords,nomatterhoweffectivethesecurityteamsare,they’restillplayingcatch-up.Implementingdeepsegmentationvianetworkvirtualizationcancreateahighlydynamic,policy-driveninfrastructure.Thequestionbecomes,instead,“Whatdoesahealthycommunicationspatternlooklike?”Asnewapplicationsandusersjointhenetwork,operatorscanaddtheirdesiredandanticipatedcommunicationspatternsviapolicy,ensuringtheyreceivetheconnectivitytheyneed.Butbecausethereisnoneedtosuddenlyreassesswhatanattacklookslikeinlightofthechangedenvironment,networksecurityisnotperturbedbytheaddition.Thesecurityandnetworkteamstherebymovefromareactivestance,tryingtoexplicitlyidentifyanddisablebadtrafficandrespondtodetectedthreats,toaproactivestance,enablingdesiredconnectivityandimplicitlydisablingeverythingelse.Thetwocriticalcomponentsthatmakesuchashiftpossiblearevirtualizationandautomation.Virtualizationembedsdeepsegmentationfunctionalitywithinthenetwork,andautomationinstantiatespolicychangestothoseembeddedfunctionsatscale.
©NemertesResearch2018www.nemertes.comDN706710
Figure6:PoliciesatTenantLevelControlWhetherSessionsAllowed
Nested Segmentation
Anothercriticalcomponent,particularlyfor(increasinglycommon)multi-tenantenvironments,istheabilitytodefinetrustboundariesandrelationshipsatatenantlevel,andexpectallsegmentationsetupwithinatenantsegmenttoinheritthoseboundariesandrelationshipsasastartingpoint.Forexample(PleaseseeFigure6)acompanymayestablishthatsometenants(likeacustomersupportdivision)havenoaccesstoanythinginthedevelopmentnetworksegment;orthatthoseintheconsultingdivisionhavenoaccesstotheoperationsnetwork.Oncetherelevantnetworkcomponentsareawareofthepolicy,allsuchsessionswillcease.End-to-End Stateful Session Management
Azero-trust-enablednetworkneedstheabilitytoseetrafficintermsoftheconversationsestablishedacrossit.Thismeans,inessence,trackingsessionsstatefully(inrealtime)fromsourcetodestination.Statefulsessionmanagementmattersfortwokeyreasons.First,itallowspolicy-basedsessionadministration.Inotherwords,thenetworkmanagercandecidethatonlycertainkindsofsessionsarepermitted,andrefusetosetupsessionsthatareoutsidepolicybounds.Asimportantly,statefulsessionmanagementisakeyweaponinpreventingsessionsfrombeinghijacked.Astandardhackertechniqueistowaituntiltrustedendpointsestablishasession,thenhijackthatsessionfornefariouspurposes.Precludingsuchanattackrequiresthatthenetworkbeawarenotjustoftheexistenceofasession,butitsactualstate:whichendinitiatedtheconversation,whattypesofpacketsaretraveling,inwhichdirection,inwhatorder,etc.Ifasessionappearsinitiallytobeinapermittedstate,butshiftsintoan
©NemertesResearch2018www.nemertes.comDN706711
unpermittedone,networkdevicescanshutthesessiondown—butonlyiftheyhavetheabilitytoperformstatefulsessionmanagementinthefirstplace. Integrated Encryption
Itshouldbeobvious,butit’sworthnotingthatencryptionisanessentialcomponentofzerotrust,sinceencryptionimpliesanappropriatelackoftrustinthenetwork.However,encryptingdataalsomakesitdifficulttoperformallthesession-managementfunctionsabove.Tosupportbotheffectiveend-to-endstatefulsessionmanagementandencryption,encryptionhastobebuiltintothenetworkfabric,ratherthanboltedon.Virtualization and Consolidation of Network and Security Functions
OneofthemostpromisingdevelopmentsinnetworktechnologyistheemergenceofSoftware-DefinedNetworking(SDN)andSoftware-DefinedWideAreaNetworking(SD-WAN),modelsinwhichcorenetworkfunctionssuchasrouting,firewalling,loadbalancing,andmoreareconsolidatedintoasingleappliance,eitherasasingleVMorasacooperatingswarmofVirtualizedNetworkFunctions(VNFs).Moreover,manytimesthissoftwarecanberunningonabare-metalplatform(anapproachknownas“whiteboxing.”)Networkandcybersecurityprofessionalscanworktogethertocreateacustomizedsystemthatincorporatesexactlytherightmixofnetwork,security,andsegmentationfunctionalityfortheirrequirements—essentiallychangingthenetworkinfrastructurefromhardware-definedtosoftware-defined.Fromasecurityperspective,thesoftware-definedapproachisoptimal,becausetherearefewerhardwaredevicestoadministerandmanage(andthereforefewerpossibilitiesforhacking).Moreover,automatedmanagementworksmosteffectivelywithsoftware,ratherthanhardware,components.Inanfullysoftware-definedarchitecture,networkengineerswon’tthinkintermsof“arouter”or“afirewall”butratherintermsofadevicethatsupportsadynamicrangeofpolicy-enforcementandnetworkingfunctionsincludingrouting,loadbalancing,IDS/IPS,DDOSprotection,firewalling,webgateways,andmore.Secure Routing Fabrics
Theoutcomeofthisapproachisadramaticre-thinkingoftheroleofroutingitself.Asnotedabove,theroleofthenetworkoverallshiftsfrom“transportmostpackets,denysome”to“transportonlythattrafficwhichisvalidatedassafe,andproperlyencrypted.”Insteadofrelyingonlistsandrulestodeterminewhichtrafficmaynotbetransported(andtransportingallelse),withzerotrusttheonlytrafficthatistransportedisthatwhichhasbeenexpresslygreen-lighted.Thisrequireda“deny-by-default”routingfabric,coupledwithhop-by-hopsessionauthenticationanddynamicencryptionofdata-in-motion.Securityisthereforebakedintothenetworkitself,notjustpaintedontotheperimeter,makingthenetworkfabricandroutingalgorithmsthemselvesthetoolstomountamoreeffective,simple,lessexpensive,distributeddefenseagainstincreasingsecuritythreats.
©NemertesResearch2018www.nemertes.comDN706712
Youcould,infact,thinkofitasthepermethrinapproachtosecurity.Liketheinsecticidepermethrinthathikersandotheroutdoorsyfolkusetoprotectthemselvesagainstticks,mosquitos,andotherdangerousbugs,zero-trustsecurityisinfusedintothefabricitself.Nomoreswattingmosquitos—theynevermakeitthrough!Business Value of Zero-Trust Security
Improved Risk Mitigation and Security Posture
Theprimarybusinessbenefitofzerotrustsecurityis,ofcourse,improvedsecurity,whichinturntranslatestoreducedrisk.Byimplementingzero-trustsecurity,companiescanreduceboththelikelihoodandtheimpactofbreaches.Breacheshappenlessoften,andwhentheydo,thedamageismoreeffectivelycontained.Moreover,theautomationinherentinzerotrustmeansthatmistakes(whichcanintroducevulnerabilitiesandincreasecosts)arelesslikelytooccur.Additionally,complianceimproves(particularlyviadeepsegmentation).Complianceinvolvesnotonlyprotectingregulatedassets,butalsodemonstratingthattheseassetshavebeenprotected—anddeepsegmentationdeliversboth(validationaswellasprotection.)Reduced Costs: Capital and Operational
Integratingsecurityandnetworkfunctionsintoacommonhardwareplatformcanresultinreductions,sometimesdramatic,incapitalcostsforthenetwork,especiallywhennetworksgrowintothethousandsofsites.WithothervirtualizationapproachessuchasSD-WAN,Nemerteshasdocumentedseencapexsavingsof30%ormore.Whiledataisjustemergingforzerotrust,weanticipatesavingsthatarecomparable.Therearealsopowerandcoolingcostsavingstotakeintoconsideration,whichisnon-negligibleforlarge,complexenvironments. Moresignificantly,reducingthenumberofdevices—andimplementingtechniquessuchasautomated,policy-drivendeepsegmentation—alsoreducesthecostofongoingsupportandmaintenance.Anobviousbenefitofreducingresponsetimeisthatittakeslesstimetodetect,understand,andrecoverfrombreaches;andlesstimeequatestolowercosts.Andbecauseautomationreducesthelikelihoodoffailedpolicyimplementation,iteliminatesstaff-hoursspentcleaningupafterafailedpolicyimplementationormodification.Whileit’sstilltooearlytoquantifytheopexsavingsfromamovetozerotrustsecurity,weanticipatethey’llbeontheorderof50%ormore,basedonourworkwithSD-WANandwithserverandnetworkvirtualization.Improved Agility
Agilityisanotherbusinessbenefitthatresultsfromthedeploymentofzero-trustsecurityinthenetwork.Today,businessoperationsareoftenheldupbythetimeittakestosecure
©NemertesResearch2018www.nemertes.comDN706713
them.Forinstance,settingupthatbranchofficeinShanghaimayneedtowaituntilthefirewallhasbeenshipped,delivered,andconfigured,whichcouldtakeweeks.Whenthatprocesschangesto“downloadandlaunchsoftwaremodule,”thetimerequiredcandroptohoursorminutes,whichmeansthatShanghaibranchofficeisupandrunningimmediately.Conclusion Zerotrustupendsourbasicunderstandingofhowbesttoprotectdata,systems,andusers.Itrequiresaradicalre-thinkingofnetworks,includingtheroles—andeventheexistence—ofconventional,separaterouterandfirewalls.Routingshiftsfromthefamiliar“greenlighting”approachtoanapproachthatacceptsonlyauthorizedtraffic,andre-authorizesitonahop-by-hopbasis.Toeffectivelyimplementzero-trustsecurityinthenetwork,thefocusmustbeoncentrallymanaged,policy-driven,deeplysegmentedandencryptednetworkfabrics.Thisisthenecessaryprecursortoplacingsecurityautomationwhereitbelongs:attheheartofsecurityoperations.Anditbringswithitallthebenefitsofautomation:reliability,agility,andscalability,allatreducedcostsandwithreducedrisks.ITprofessionalsseekingtobringthebenefitsofzerotrusttotheirenvironmentsshould:
• identifywheretobeginimplementingzerotrustprinciplesinthenetwork• re-thinktheroleandfunctionsofthenetwork,particularlyrouting• enabledeepsegmentation• protectacrossallthreedomains• makesecurityautomationacorefocus• buildabusinesscaseforfundingzerotrustinthenetworkaroundcostreductions,
riskreduction,andagility.AboutNemertes:Nemertesisaglobalresearch-basedadvisoryandconsultingfirmthatanalyzesthebusinessvalueofemergingtechnologies.Since2002,wehaveprovidedstrategicrecommendationsbasedondata-backedoperationalandbusinessmetricstohelpenterpriseorganizationsdeliversuccessfultechnologytransformationtoemployeesandcustomers.Simplyput:Nemertes’betterdatahelpsclientsmakebetterdecisions.