“Trust is a human emotion that we mistakenly injected into digital systems” – John Kindervag.

We are all present in the digital age, and the IT landscape is evolving. With the introduction of BYOD, IoT, Cloud, virtual sites, WFH and an increase of enterprise security threats, it is time to rethink the traditional corporate network. 

Data and applications are literally everywhere, on-prem server-based, SaaS, shadow IT, mobile devices. End-users today access more applications and data from OUTSIDE the network than INSIDE the network; legacy security methods are simply redundant. 

Traditional network designs were based on a secure perimeter with clear demarcation points. Inside the perimeter was TRUSTED, outside the perimeter was UNTRUSTED with all north-south traffic passing through the firewall. 

There are no security measures monitoring lateral traffic. Once a bad actor has breached the perimeter, they can move laterally unhindered, and this can be catastrophic.

What is required in our digital world? Networking architecture with no concept of inside or outside. Put the user at the centre of the network. Today’s digital age demands intelligent IP Routing; this is achieved by moving IP routing to Layer 5 (session layer) of the OSI model. 

There is a complete lack of integration between routing protocols and Identity and Access Management services (IAM). Zero Trust changes all of this. 

Zero Trust combines the routing tables of IP routers with the policies of the IAM directory (MS Active Directory for example) adding intelligence to the network. Now the policies of the directory are used to allow or deny a packet to go from one source to another destination. 

By integrating IAM services to IP Routing, you are creating an intelligent network with more dynamic granular security controls, all of which are required in today’s digital world.

Zero Trust ensures that security policies are applied at the very edge of the network and stops malicious sessions at their origin, not in the middle or at the endpoint. With this approach, bad actors simply have no way to gain access to the network and the resources that lay within it, keeping data in the safest possible manner. 

This is where the rubber hits the road. Implementing a Zero Trust methodology starts with two key projects;

Micro segmentation

What is the difference between a VLAN and micro segmentation? Consider a VLAN is one big one house, all the doors are unlocked and everyone living within that house, or even visiting can move freely. 

With micro segmentation you are not free to move within the home. All doors are locked, and access is only possible if you have the authority and keys to open the door. 

Micro segmentation gives administrators control to set granular level policies. The policies will restrict communication to hosts that can communicate, one-to-one mapping, unlike the traditional VLAN, where there is potential to see everything within that VLAN.

Retire the blacklist rule set and adopt the whitelist rule set. The whitelist rule set can get as dynamic and granular as you need it to be, taking segmentation right to the point of the end-user, device, service and application. 

Software-defined perimeters (SDP)

When connecting, end-users should not be concerned about where the applications are. All they care about is prompt access to the application; for this to happen, we need to make applications available everywhere without any impact to the end-user. This is what software-defined perimeters are all about. 

Core to the Zero Trust movement, a sufficient level of trust needs to be established before users can access an application; this trust is then continuously monitored throughout the duration of the session. Trust is continuously monitored, not once-off authenticated. 

Software-defined perimeters put the user at the centre of the network enabling the network and security perimeter to follow the user regardless of their location. 

In conclusion, traditional networking architecture is the equivalent of people moving freely. You have an address for your home (IP Address), and you sleep in the master bedroom with a safe bolted to the floor (logical address). You and malicious offenders can move freely. You hop in your car and drive down the highway; you can knock on anyone’s door and see if they answer. Malicious offenders will sit outside and watch for vulnerabilities, perhaps you leave a window open, or a minor within the household answers the door in trickery from the offender. 

Zero Trust networking states no one is allowed to even leave their home until they have prior authentication and authorisation to get to the destination. When employing a Zero Trust methodology to networking, you are saying no one is even allowed to knock on your door.