Networks form the backbone of I.T. infrastructure. In fact, every service we take for granted today is made possible by the interconnectivity of different systems which can transmit data to each other. The internet, as an example, is the most extensive network in the world and is an excellent illustration of what is possible when systems can intercommunicate. However, like all I.T. infrastructure, networks need to be secured and protected from threats which pose a risk to the services running on them.
Cloud and Mobile Have Impacted Network Security
Networks and the services that run on them have changed. If we look at networks before the proliferation of cloud services and mobile devices permeated the corporate landscape, the standard corporate network was a closed, micromanaged environment where I.T. controlled every application and device. During this pre-cloud era, network security consisted of a hard perimeter where firewalls created the barrier between a trusted internal network and an untrusted external network.
Since the introduction of cloud and mobile, things have changed. Businesses today utilize apps which are both on-premise and in the cloud, and users perform their duties on multiple devices and work from anywhere. This fractured, distributed operating environment has forced organizations to rethink network security. The traditional firewall, which protected all the enterprise I.T. resources in the past, no longer protects every application and device. The diminishing role of the firewall and the increased use of cloud apps and mobile devices across the enterprise has forced I.T. security professionals to come up with a new network security model.
The Zero Trust Model
Forrester created the Zero Trust model in 2009 which introduced a new way of thinking for network security. This model essentially declared that all network traffic be deemed untrusted and that the conventional thinking of a trusted internal network and untrusted external network was obsolete. The Zero Trust model recommended the implementation of three core concepts to enforce this thinking. First, organizations need to ensure all resources are accessed securely. Second, that the principle of least privilege is adopted and that access control is strictly enforced, and third, that all network traffic be inspected and logged.
Since 2009, Forrester has extended the Zero Trust model into the Zero Trust Extended Ecosystem (ZTX). ZTX extends Zero Trust further by stating that not only network traffic be deemed untrusted, but that people, workloads, and devices also pose risks to an I.T. environment. Furthermore, ZTX also puts data at the center of the model stating that it must be encrypted in transit and at rest. The extended model also recommends that due to the complexity involved, organizations need to put measures in place to automate their security and deploy solutions which provide visibility into what is occurring in their environment.
Implementing Zero Trust to Secure Network Infrastructure
Using the Zero Trust model (and by extension ZTX), there are a few best practices which organizations need to implement to secure their networking infrastructure. These include authentication everywhere, network segmentation, and implementing solutions which provide visibility.
Due to the traditional firewall no longer protecting every enterprise I.T. asset, organizations need to implement authentication solutions to verify the identity and access of every user, device, and workload running on their network.
There are multiple ways to accomplish this authentication requirement, and depending on the complexity of the enterprise, organizations can look at implementing anything from standalone solutions for each service to a full-scale centralized Identity and Access Management (IAM) platform. A centralized IAM solution provides a holistic approach to managing access across an enterprise environment, but smaller organizations who run a simplified I.T. infrastructure, with a limited amount of users, devices, and apps, may not have the need, or budget, to deploy a full-scale enterprise solution.
Network security is at the core of both the Zero Trust and ZTX models. The essential premise that all network traffic is untrusted is the central premise which organizations need to embrace when securing their networks. Network segmentation, the logical separation of a physical network into separate manageable components, can not only help organizations implement the Zero Trust concept of the principle of least privilege but can also help improve performance and manage complexity.
Securing an internal network by segmenting it into relevant areas is usually executed by network resource type. For example, separating the network servicing users from the network on which services reside helps control network resource utilization and controls access by ensuring only authorized users can gain access to specific resources. In many corporate environments, exposing services to the Internet requires the creation of a “Demilitarized Zone” (DMZ). A DMZ is cordoned off by two separate firewalls, one firewall filters traffic from the internet, while the other firewall resides on the internal-facing network. By utilizing this configuration, organizations can further secure their network as internet traffic has no direct access to the internal corporate LAN, but users can still access services from the internet through a set of carefully-configured firewall rules on both DMZ interfaces.
In any environment, you cannot manage what you cannot see. In modern networks, having a view of what is happening in real time is essential. As per the Zero Trust model, organizations need active visibility into security events as they occur on a network so that they can proactively respond and remedy any issues.
In a networking environment, there are a variety of tools which organizations can utilize to monitor the health and security of their network. These can range from free open source tools to fully-fledged enterprise automation platforms. These monitoring tools can help organizations not only actively monitor every device on the network, but can also assist in reducing security threats where the monitoring platform offers the option of a regular vulnerability scan. Furthermore, tools which enable visibility into a network can also help produce the essential documentation needed to manage and maintain a modern networking environment.
Authentication, Access Control, and Visibility
Due to the impact cloud and mobile have had on modern enterprises, securing a modern networking infrastructure requires a Zero Trust approach. Organizations need to regard all users, devices, workloads, and networks as untrusted and implement the necessary measures to protect their I.T. assets. By verifying the identity of every resource which accesses their network through some form of authentication, segmenting their network into logical access control layers, and implementing solutions which enhance the visibility of incidents as they occur, organizations can secure their network infrastructure for a cloud-first, mobile world.
To learn more about how your organization can effectively secure its network infrastructure, contact JMARK.