What is Zero Trust Networking?
For decades, securities policies have basically assumed that if you're connected to the internal network that you are meant to be here and can have access to everything. This is, of course, a ridiculous thought.
With the smart phones, BYOD devices, and IoT devices common place, we have to rethink how we maintain security in this environment. We can't assume that everyone keeps their devices patched to the latest versions with the latest antivirus signatures downloaded. We have to verify everything and only provide as much access as the user needs to do their job. This is the core to zero trust networking.
Network access control isn't a new thing but we're taking this to the next level.
We're leveraging 802.1X to perform client authentication and perform a posture check while at the same time writing our network policies so that even once you're past the initial authentication that your reach within the network is limited.
Additionally, we're going to leverage Layer 7 packet inspection with Next Generation Firewalls and micro-segmentation with a technology like TrustSec. The goals here are to limit the ability for a compromised machine to talk to command-and-control server and to make lateral movement within the network and compromise other machines on the network.
Zero trust is a philosophy with which we can develop our networks not a prescriptive design. Your networks should be designed in such a way that you can verify everything your users do is secure and limits their ability to do bad.
If you're interested in learning more about zero trust from the NGFW standpoint, I recommend reading Palo Alto’s thoughts on the matter and learning more about TrustSec from Cisco.
I’ll be posting next week about Cisco’s Software Defined Access and how you can apply the zero trust model using DNA Center.