The concept of Zero Trust (ZT) has become an integral strategy for organizations to provide a defense-in-depth approach to prevent breaches and lateral movement if an incident occurs. Many traditional network security investments, however, primarily focus on perimeter defense, potentially leaving critical resources wide open to malicious actors should a network user or component become compromised. Ideally, organizations should manage, monitor, and restrict both internal and external traffic flows.
In order to emphasize the importance of implementing security controls close to resources and data in addition to perimeter defense, the National Security Agency (NSA) has released a new Cybersecurity Information Sheet providing comprehensive insights into implementing Zero Trust using best practices for Network, Environmental, and Software Defined Networks (SDN).
This blog summarizes the key points of the NSA document, outlining its significance in curbing cyber threats through advanced network segmentation and control strategies that are present in most environments, but which may not be fully implemented or configured correctly.
What is the Zero Trust network and environment pillar?
The Zero Trust network and environment pillar aims to prevent lateral movement by cyber attackers within an organization's network by mapping data flows and implementing network segmentation with strong access controls. It advocates for granular policy restrictions, logical and physical segmentation, isolation of network components, encryption, and enterprise visibility.
This approach is a part of the broader Zero Trust security model, which operates under the assumption that breaches may occur within the network. The goal is to limit, verify, and monitor activities across the network to safeguard sensitive data and critical systems from being accessed after an incident. The model, simply put, is all about containment.
Why is the network and environment pillar important?
A common technique malicious cyber actors leverage is to gain access to an organization’s network, and then move laterally through the network to gain access to more sensitive data and critical systems. The Zero Trust network and environment pillar aims to help organizations curtail adversarial lateral movement and thus contain the attack.
The NSA underscored the importance of this pillar of the Zero Trust model with a case study involving a major data breach at an American retail corporation in 2013. The breach, facilitated by inadequate network segmentation, led to the compromise of approximately 40 million debit and credit card details. This incident highlights the need for robust network security that goes beyond perimeter defense to include internal traffic management because any device could potentially be a beach head for future attacks. That includes Operational Technology (OT), Internet of Things (IOT), and other network enabled devices.
How do network and environment fit into the seven pillars of Zero Trust?
The network and environment pillar works in concert with the other NSA Zero Trust pillars as part of a holistic Zero Trust security model that limits, verifies, and monitors activities throughout the network under the assumption that adversary breaches occur inside the network:
- User: Continually authenticate, assess, and monitor user behavior to govern users’ access and privileges while protecting and securing all interactions.
- Device: Inventory and manage the health and status of devices to inform the organization of risk-based decisions. This should occur in real time to inspect, assess, patch, and change conditions based on any and every request to protect the asset and associated data.
- Network & Environment: Provide segmentation, isolation, and control (physically and logically) within network environments and network routes with granular policy and access controls.
- Data: Ensure data transparency and visibility to secure the enterprise infrastructure, applications, compliance, standards, end to end encryption using techniques like data tagging and data classification.
- Application & Workload: Every asset, resource, and identity should be secured from applications to hypervisors, including physical hosts, and the protection of workloads from containers and virtual machines.
- Automation & Orchestration: Security responses should be automated based on document policies and procedures. In addition, advanced technology like artificial intelligence and machine learning should be used when possible to perform blocking actions, forcing remediation or mitigation, or recommending intelligent based decisions.
- Visibility & Analytics: Analyze events, behaviors, and runtime activities to derive context and apply artificial intelligence and machine learning models to achieve customized outcomes from your environment.
4 best practices for securing your network and environment pillar
The Network and Environment Pillar focuses on close-to-resource security controls, like Access Control Lists (ACL), in addition to perimeter defenses to prevent unauthorized lateral movement and enhance Zero Trust. In their latest guidance, the NSA highlights the following four disciplines as critical to the network and enhancement pillar and your overall Zero Trust deployment:
- Data Flow Mapping: Understanding how data moves within and between networks is crucial. This involves identifying unencrypted data flows and transitioning them to secure protocols.
- Macro Segmentation: Dividing the network into discrete components based on security requirements. This reduces the attack surface and limits the impact of breaches.
- Micro Segmentation: This further breaks down the network, isolating users, applications, and workflows to enhance security at a more granular level.
- Software Defined Networking (SDN): SDN facilitates dynamic network management and policy enforcement, enhancing security through centralized control.
The NSA emphasizes the importance of continuous improvement and vigilance in network security based on these four recommendations.
How to implement holistic zero trust: NSA’s Four Step Maturity Model
For each of the above disciplines, the NSA has provided a four-step maturity model to ensure a rollout plan can be developed and matured within an organization:
- Step 1: Preparation - Plan and collect all data for mapping data flows.
- Step 2: Basic - Segment functional areas and implement SDN where possible.
- Step 3: Intermediate - Enforce and monitor access policies between segments for inappropriate behavior and potential lateral movement.
- Step 4: Advanced - Establish automation and management based on analytics and risk-based responses using policy and AI/ML technologies.
Next steps
For organizations to properly secure themselves against the rapid expansion of modern threats and the dissolution of the traditional perimeter, it is critical to assume that threats already exist within the nominal boundaries of their systems. Organizations need to have better visibility across their network and ecosystem to be able to continually detect and assess risks, enact timely responses, and ensure the proper controls are in place to contain threats and prevent them from moving laterally to accomplish their malicious Intent.
NSA’s expanded and refined network and environment pillar roadmap provides organizations with processes for resisting, detecting, and responding to threats that exploit weaknesses or gaps in their enterprise architecture.
For more information about strengthening your cyber defenses in accordance to NSA’s advanced Zero Trust maturity model, download our free whitepaper, or contact a knowledgeable representative today.
Morey J. Haber, Chief Security Advisor
Morey J. Haber is the Chief Security Advisor at BeyondTrust. As the Chief Security Advisor, Morey is the lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology, and Vice President of Product Management during his nearly 12-year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board, assisting the corporate community with identity security best practices. He originally joined BeyondTrust in 2012 as a part of the acquisition of eEye Digital Security, where he served as a Product Owner and Solutions Engineer, since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. Morey earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.