NSA article summary: Zero trust networking

In March, the National Security Agency (NSA) reiterated and emphasized the importance of securing the network environment with a simple 12-page publication.

This publication is timely considering the recent cyber attacks on Change Healthcare and Lurie Children's Hospital. In it, the NSA explains security concepts with simple references that everyone can understand — no engineering degree required. If you have ever watched "The Lord of the Rings" battle scenes with layered castle walls, navigated the stanchions while queuing your family up for a fast pass at an amusement park, or enjoyed the privilege of the TSA-approved access line with your validated ID, you have experienced the concept of zoned segmentation, an integral part of a zero trust strategy.  

In its report, the NSA emphasizes the importance of network security for zero trust. Source: Advancing Zero Trust Maturity Throughout the Network and Environment Pillar

Per the article, network segmentation is critical to removing implicit trust and having a method to govern and control network transactions:

"The concepts introduced in this cybersecurity information sheet provide guidance on enhancing existing network security controls to limit the potential impact of a compromise through data flow mapping, macro and micro segmentation, and software defined networking (SDN). These capabilities enable host isolation, network segmentation, enforcement of encryption and enterprise visibility. As organizations mature their internal network control, they greatly improve their defense-in-depth posture and, consequently, can better contain, detect and isolate network intrusions. "

After providing several examples of applied zero trust networking concepts that build upon one another toward a logical maturity model, the article closes with a straight-forward bullet point summary that is a call to action:

"To mature the network and environment capabilities, an organization should:

  • Map data flows based on usage patterns and operational business requirements.
  • Properly segment the network at both the macro and micro levels.
  • For centralized control and automated tasking, use SDN where it is available and practical to do so.
  • Automate security policies to gain operational efficiency and agility.
  • Use risk-based methodologies to define access rules that include mechanisms to ensure malicious or unauthorized traffic is dropped prior to reaching network resources at the perimeter, macro and micro boundaries."

With easy-to-understand concepts and straightforward goals, why has adoption and implementation of network segmentation gone so slowly? After all, as John Kindervag, the godfather of zero trust, pointed out in his blog assessment of the NSA briefing, these are concepts he stressed over a decade ago — so why are organizations so far behind in implementing zero trust network architecture?

Challenges to implementing zero trust network segmentation

WWT has consulted with a multitude of clients across various industry verticals who candidly shared their experiences with lofty goals for zero trust network implementation — only to experience minimal progress and, in some cases, business disruptions from failed attempts. Through these engagements, WWT has developed key insights into why clients struggle to attain the desired level of maturity and what can be done to accelerate their efforts.

Common challenges and contributing factors clients have experienced include:

  1. Lack of executive and stakeholder buy-in: Many organizations fail to recognize the transformational nature of zero trust network implementation and underestimate the high level of engagement required from stakeholders outside of the network and infrastructure operations teams. These silos are a common source of stalled implementation efforts. As with any transformational effort, the priority and engagement must start at the top to drive engagement across traditional organizational silos and change "the way we have always done it."
  2. The retrofit effect: Legacy systems, which process a significant amount of data daily, are often not compatible with a zero trust model. These older technology applications may not offer the level of control, verification or authentication required by a zero trust approach.
  3. Integration and third parties: Implementing a zero trust security model in today's dynamic IT environments can be particularly challenging due to the proliferation of diverse technologies and extended endpoints. The comprehensive scanning and discovery required to establish a zero trust architecture often demands significant management overhead to maintain visibility and control across the entire infrastructure.
  4. Remote work: The rise of remote work, especially during the pandemic, has introduced logistical hurdles. Implementing zero trust in this context, with its decision-making and micro-segmentation requirements, adds another layer of complexity [1].
  5. Technology: The integration of financial technology (fintech) applications into existing network infrastructures can complicate the implementation of zero trust. Unification issues across hybrid networks and cloud infrastructures can hinder micro-segmentation and verification, especially if a certain app or platform cannot run on a specific cloud provider infrastructure [1].
  6. Data governance: A fundamental principle of zero trust is mapping the data lifecycle and analyzing how users are accessing and interacting with sensitive information. This requires a comprehensive understanding of data flows and user behavior. Most companies have data stored in multiple places (cloud, data center, third-party suppliers, etc.), and frankly, very few have high confidence that they have their data under control.
  7. Skills gap: The skills required to design, deploy and operate complex networks are difficult to staff and even more difficult to elevate existing staff into these roles. Tools and controller-based management systems must be embraced, along with automation, to deploy and manage the growing networks with integrated security, visibility and identity-based access [6].
  8. Scope - boiling the ocean:  Some clients, after experiencing a cyber incident, were given an edict to charge full steam ahead and transform the entire network with zero trust concepts in short order. Leveraging the appropriate methodology to scope, communicate and report on the incremental success of the implementation is critical to maintaining project momentum and achieving the true outcome — less risk!

These challenges highlight the need for a comprehensive, risk-based approach when implementing zero trust network segmentation.

Leveraging an experienced guide and proven methodology to accelerate the business outcomes of zero trust segmentation

If you have ever taken a tour in a foreign country, hiked in the mountains, or even filed complicated tax returns, you understand the immense value of a seasoned guide. 

In a similar fashion, if you are going to overcome the challenges of implementing zero trust segmentation, you need an experienced guide to leverage proven methodologies and maintain momentum to achieve the desired risk reduction. WWT has an established practice with technologists who deliver more than advice — they have supported and accelerated business outcomes in multiple roles including hands-on execution.  

WWT's approach includes a proven methodology to prioritize, execute and report on incremental risk reduction throughout the program lifecycle. A comprehensive, strategic approach ensures proper scoping and engagement with stakeholders to ensure the "why" and the "how" of the project execution is understood, which pays big dividends with ongoing support. In addition, the reinforcement of the "why" acts as a catalyst for the success of "day 2" security practices and the ongoing cultural transformation required to maintain a zero trust approach going forward. Throughout the entirety of the engagement, the critical success factor of availability — maintaining the continuity of the business operations — remains a focal point to ensure the balance of transforming the business processes and technology without halting or impacting business outcomes. 

Identifying and prioritizing business-critical assets together with a view of the organization's specific threats is critical to focus efforts and achieve incremental risk reduction as the implementation progresses. In addition, providing executive leadership with status reports that are expressed in business terminology helps maintain executive buy-in.  As the implementation progresses, overall hygiene of critical assets is also improved, which often results in improved network fault and performance metrics as well.

Pursuing network segmentation as part of zero trust implementation yields significant risk reduction and provides the bedrock for continued transformation to build resiliency in to the business processes — so don't wait. Leverage an experienced guide to accelerate your efforts and protect your organization in the face of ever-increasing threats. 

References:

  1. WWT Research: Security Priorities for 2022
  2. WWT Research: Security Priorities for 2023
  3. Article: Zero Trust Principles
  4. Article: The Zero Trust Network Access (ZTNA) Puzzle Piece in SASE
  5. United Health Group Cyberattack Status Update
  6. NSA Publication: Advancing Zero Trust Maturity Throughout the Network and Environment Pillar