Digging Deeper Into Zero Trust

When the street-smart cop played by Sean Connery in "The Untouchables" instructs Kevin Costner's character about the realities of Prohibition-era Chicago, his first lesson regarding the ways of the world was simple: Trust Nobody.

The security world should apply a similarly blunt approach, particularly when it comes to rethinking dated assumptions about trust. The old school approach to security was to authenticate and determine trust of users at the edge of the network. If they were found to be trustworthy, they got in. If not, they got blocked. Unfortunately, you can never really truly establish complete trust.

Meanwhile, the once-popular castle-and-moat approach was found wanting when intruders were able to work their way inside of perimeter-based security through hacks and cracks in the walls. In response, the industry started to look for a new way to tackle enterprise security, one that was data-centric and comprehensive.

As I mentioned in an earlier blog, many enterprises are turning to Forrester’s Zero Trust model as a pragmatic blueprint to follow in order to up their security game.  Zero Trust posits that threats are invariably going to come from every direction - external and internal.  In our increasingly cloud-centric, mobile-centric world, there no longer are perimeters and data is spread out everywhere.

As a result, granular protection need to be applied to data itself, and controls must be implemented across all points of access to data, such as mobile devices, cloud workloads, and corporate networks.

In future blogs we will take a deeper look at each of the key “pillars” of Zero Trust, but at this point I’d like to dig a bit deeper to what it means in the context of network security controls. Let’s take a look at a Zero Trust Network.

The Zero Trust Network

In a Zero Trust network, nobody gets a free pass anymore - even if they are located inside the network perimeter.  In fact, there is not really an overall network perimeter.  The network has been segmented, and then segmented again.  The result?  A micro-segmented network, with lots of tiny perimeters. 

Any request coming from an individual or device attempting to tap resources in these micro-perimeters requires strict verification. And better yet, data within these perimeters has been classified based on sensitivity, with the most sensitive data being encrypted.  Only authorized users would be able to access this data in the clear.  Of course, things can rapidly change, so the ability monitor users and, based on this visibility, adjust access to network segments based on factors such as behavioral risk scores, device type, user location, etc. needs to be considered as part of the modern Zero Trust Network.  

Remember, the modern network extends beyond the datacenter – it reaches into the cloud.  So, the principles of segmenting and controlling data need to be applied there as well.  And consider the web, aren’t there parts of the web that you want your users nowhere near?  And some parts that they may need to be able to visit to perform their jobs, but get you a bit nervous?  The web also needs to be segmented, based on risk, and data exchanges and access needs to be monitored and strictly controlled.

The goal, in all of these areas, is to extend limited or very controlled access to segments of a network to avoid exposure to security threats - as well as to minimize the potential damage that bad actors might inflict if they do penetrate the corporate defense.

Beyond segmentation and access controls, network traffic, regardless of its source, needs to be scanned and monitored for threats.  Web gateways, with their ability to scan encrypted traffic which may be hiding malware, are specifically designed to do a lot of this heavy lifting.  They can orchestrate traffic to tools like sandboxes to stop zero-day threats.  Email gateways, with best in class tools like threat isolation, can help defeat the phishing attacks we all face.  Tools like these, fed by accurate real-time threat intelligence need to be part of a Zero Trust Network approach.

Is the Juice Worth the Squeeze?

But why put in the time and effort - and especially the investment - required to revamp your network along the lines of a Zero Trust posture? The organizations I have seen adopting Zero Trust have done the calculus and determined that the cost of a breach will outweigh the investment outlays in upgrading a network to conform to a Zero Trust posture. They understand that if a breach does occur, the impact will be greatly minimized because of the network segmentation and data isolation that has been put in place. 

In parallel, Zero Trust network monitoring and forensics should be able to identify the intruder and the impact they have had and kick off automated mitigation steps to shut them down.  From there, automation can orchestrate remediation activities in the network as well as other control points, such as mobile devices, to get the enterprise’s security posture back to the appropriate level. 

An additional benefit: Zero Trust adoption also helps companies conform with the strict compliance requirements they now face when it comes to securing data and enforcing identity and access controls on devices and networks.  I’ve seen organizations effectively tie their Zero Trust initiatives to the broader compliance regimes they must adhere to.

The Zero Trust Network - Why Symantec?

With our breadth of security solutions, Symantec’s in a unique position to offer the depth of capabilities required to implement a Zero Trust Network approach.  Key technologies include:

• Secure Web and Email Gateways
• Threat Isolation and Network Sandboxing
• Network Forensics and Encrypted Traffic Management
• Information-Centric Encryption and Data Loss Prevention (DLP)
• Cloud Application Security
• User Behavior Analytics
• SD-WAN

Additionally, our recent partnership with Fortinet around firewall technology will bring Fortinet’s best-in-class next-generation firewall into our cloud-delivered network security service. 

And as enterprises look beyond the Zero Trust Network pillar, enterprises find that Symantec has their needs covered in other area of Zero Trust as well.  The breadth, depth, and level of integration within our Integrated Cyber Defense platform were key reasons why Forrester named us a Leader in their recent Zero Trust Extended (ZTX) Ecosystem Wave. Additional detail on how the Symantec portfolio maps to the Zero Trust framework is available on Symantec’s  Zero Trust Topic Page. 

If you are investigating Zero Trust, I hope you will contact Symantec to see how we can partner with you on the journey.  I hope this discussion on Zero Trust Networks was useful, and we look forward to continuing the conversation on Zero Trust with our customers and partners.