AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Filter by Custom Post Type
Posts

Five Practical Steps to Implementing a Zero-Trust Network

by

Professor Avishai Wool, Co-founder and CTO at AlgoSec discusses the five practical steps that organizations can take to implement a Zero-Trust Network Policy 

While the concept of Zero Trust was created 10 years ago, the events of 2020 have thrust it to the top of enterprise security agendas. The COVID-19 pandemic has driven mass remote working, which means that organizations’ traditional perimeter-based security models have been broken up, in many cases literally overnight.  In this new normal of remote working, an organization’s network is no longer a single thing in one location: it is everywhere, all of the time. Even if we look at organizations that use a single data center located in one place, this data center is accessed by multiple users on multiple devices. 

With the sprawling, dynamic nature of today’s networks, if you don’t adopt a Zero-Trust approach, then a breach in one part of the network could quickly cripple your organization as malware, and especially ransomware, makes it way unhindered throughout the network. We have seen multiple examples of ransomware attacks in recent years: organizations  spanning all sectors, from hospitals, to local government and major corporations, have all suffered large-scale outages. Put simply, few could argue that a purely perimeter-based security model makes sense anymore.  

Five Practical Steps to Zero-Trust Networking 

These five steps represent the most logical way to achieve Zero-Trust networking, by finding out what data is of value, where that data is going and how it is being used: 

  1. Identifying and segmenting data – The foundation of Zero Trust is visibility, because you cannot protect what you cannot see. Once you have identified the data you want to protect, you can define your segments by identifying and grouping together servers that support the same business intent. 
  2. Mapping the traffic flows of your sensitive data – Once you have identified your sensitive data, the next step is knowing where the data is going, what it is being used for and what it is doing. Automated discovery tools can help you to understand the intent of the network flows carrying your data. Once you have that, you can then get to the Zero-Trust part of saying “and everything else will not be allowed.” 
  3. Architecting the network – Once you know what flows should be allowed you can move onto designing a network architecture, and a filtering policy that enforces your network’s micro-perimeters. After going through the discovery process, you are able to understand the intent of the flows, place boundaries between the different zones and segments, and write the filtering policies that ensure all legitimate business traffic is allowed – and nothing else 
  4. Monitoring – With the microsegments and policies deployed, it is essential to monitor all aspects of the network to ensure continuous compliance and understand intent before making the big switch from a default ‘allow’ policy to a default ‘deny,’ or organizational ‘D-Day.’ 
  5. Automate and orchestrate – Finally, the only way you will ever get to D-day is with the help of a policy engine, the central ‘brain’ behind your whole network policy. Without this, you have to do everything manually across the entire infrastructure every time there is a need for a change. Your policy engine, enabled by automation orchestration, is able to compare any change request against what you have defined as your legitimate business connectivity requirements. Only requests that fall outside the guidelines of acceptable use need to be reviewed and approved by human experts. 

Focus on business outcomes, rather than security outcomes 

Removing the complexity of security enables real business outcomes, since processes become faster and more flexible without compromising security or compliance. Using the steps I’ve outlined to automate Zero Trust practices means that the end-to-end time from making a change request to deployment and enforcement goes down to one day, or even a few hours – without introducing risk.   

The AlgoSec Security Management Solution allows security teams to eliminate time-consuming, error-prone manual security processes, such as connectivity mapping, migrating, and ongoing maintenance of their environments. Our smart and easy network mapping tool takes away the hardship of getting automation up and running. This frees up teams to strategically maximize the benefits of the SDN deployment and reap its rewards of increased flexibility and enhanced network security.  

Get in touch for more information on how AlgoSec can help make Zero-Trust networking a reality. 

Subscribe to Blog

Receive notifications of new posts by email.