Add More Segments to Your Network
Zero trust isn’t just about the user; it’s about not trusting the network or other servers either. A zero-trust architecture means more network firewalls, each controlling access between different network segments. While some network managers have elected to supersize their firewalls and turn them into enormous routers between microsegments within the data center, this instead creates a huge potential single failure point.
More important, existing firewalls and their management systems are not designed to have hundreds of segments, each with a slightly different security policy, pushed to a single device. Add to this the federal Cloud Smart strategy, which discourages centralization within an agency private data center.
Network managers should look into more distributed architectures, adding multiple smaller firewalls to provide segmentation within private and public data centers. This is especially true when functions are different. For example, user-to-application traffic needs different unified threat management firewalling than server-to-server, which requires much simpler access controls and a less sophisticated firewall.
The most important component, no matter how many devices are in the network, is a good management system that supports global objects (such as application definitions and network addresses) when it is used to create and push policy to each device. This critical capability reduces the likelihood of human error and miscommunications creating security problems.
Network managers also need to be on the lookout for requirements from DevOps teams, as application developers are increasingly including automation and orchestration in their toolkits and development stacks. These are popping up not just in data center networks but also in cloud Infrastructure as a Service environments where tight integration between the IaaS and the (virtual) firewall is critical to managing controls across microsegments.
Boost Identity and Access Management Tools
At first glance, zero trust doesn’t necessarily require significant changes in infrastructure. However, many agencies are considering identity and access management (IAM) systems as a required component for implementing zero trust, and that creates additional stress on some network infrastructure components.
One obvious place is authentication and authorization services. This is because users aren’t being simply authenticated using a central directory — they are also being authorized, and these authorization checks can occur with almost every mouse click.
Network managers have long worked with desktop and server managers to deploy common authentication systems. Now, these authentication and authorization servers may be under much heavier stress than originally anticipated. Authentication and authorization services should have the ability to run nonstop and to scale up to handle additional load when required. This is equally true for the databases, logging subsystems and back-end directories that these services depend on.
Network managers should also be an active part of the team for any IAM initiatives going on with their agency. Because network and security devices have long depended on enterprise directories such as Windows Active Directory and protocols such as RADIUS and LDAP for both authentication and authorization, any changes coming as part of a more comprehensive IAM system must be compatible with existing network and security appliances.
If the entire agency starts to head down an OAuth path with multifactor authentication for IAM, that’s great — as long as the network and security teams have enough notice to upgrade appliances or find workarounds to support these newer protocols.