Aug 26 2021

Network Behavior Monitoring, Software-Defined Perimeters Make Zero Trust a Reality

In addition to identity and access management tools, agencies need to ensure their networks are modernized to implement a zero-trust architecture.

Building a zero-trust architecture is a complex task for IT leaders, and it’s now an imperative for federal agencies.

One of the key elements of zero trust is granular, role-based access management. Identity is definitely a major pillar of any zero-trust implementation. However, another essential element of zero trust is the network, and IT leaders need to ensure they are taking steps to upgrade and bolster the security of their networks as they shift to zero-trust architectures.

Zero trust is fundamentally about establishing a secure environment where there is no longer blanket trust. Agency networks need to be segmented and broken down into different “trust zones” for end-user devices: not trusted and semi-trusted.

The Network Elements of a Zero-Trust Approach

The networking aspects of zero trust are linked directly to the identity and access management aspects. Agencies need to develop intelligent access designs for their networks as well as for data and applications.

Microsegmentation in zero-trust networks allows users to get from point A in a network to point B, but only the point B that they are supposed to go to. That’s because as they traverse the network, network access control policies are validating the user’s identity.

This is why it’s critical for agencies to implement and monitor user and network behavioral analytics tools, so they can determine if network activity is anomalous and if users are who they say they are as they move within an agency’s enterprise network. Ultimately, the network should be able to restructure itself based on the user’s identity and behavior and allow only for network traffic linked to a user’s validated identity.

Another key aspect of zero-trust networking is a software-defined perimeter. SDPs aim to give agencies the ability to set up perimeter functionality where needed and then offer access to applications only after device attestation and identity verification.

Software-defined perimeters can be established anywhere — on the internet, in a cloud or on the agency’s network. They encase users in their own secure perimeters, and users cannot connect with other users or initiate a network transaction until after that traffic has been sent to an SDP controller and verified.

SDPs give agency network administrators the visibility, analytics and automation and orchestration capabilities to get a holistic view of the entire network.

DIVE DEEPER: How are feds thinking about zero-trust security?

How to Create Zero-Trust Network Architecture

The first step to building a zero-trust network is mapping the agency’s requirements, and each agency is different. Some agencies may have internet-based resources and workloads that cross multiple trust zones. They need to determine how many network tenants they have and how many resource providers they have.

As many have noted, zero trust is not a capability an agency or organization can buy off the shelf. It’s an architecture, a state of mind and a combination of capabilities.

IT leaders need to determine how deeply they want to restructure their network architecture and how many layers of the onion they want to peel back. Agencies have users who need to get access to different applications, and they need to determine what data and applications are involved. That will help determine the kind of microsegmentation approach the agency will take.

In a virtualized, software-defined environment, that microsegmentation is critical to determining the data that users can access. This needs to be coupled with end-user behavioral modeling and analytics and could involve the deployment of a security orchestration, automation and response (SOAR) platform.

As agencies construct zero-trust architectures for their networks, it will be important for them to work with a range of vendors. It’s critical that one compromised network device does not result in a systemic risk to the entire network. That is not an argument for network complexity for complexity’s sake but rather a recommendation to build a multilayered network environment without a single point of failure.

Building a zero-trust network is not easy, but it is certainly doable — and it is an essential component of creating a more secure environment within the government.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

Quardia/Getty Images