Zero Trust in Practice
Never Trust... Always Verify... Now What?
If you've been anywhere near cybersecurity in the last few months, you've probably heard the phrase "never trust, always verify" a few times – it's the core tenet of the Zero Trust movement. The concept sounds straightforward enough, but it's much more of a guiding philosophy than a specification for implementation.
And as with many things in life, the devil is in the details. For example, many vendors promote identity management as the answer to Zero Trust. This approach may address the "always verify" clause (for users, anyway), but is silent on the "never trust" part.
So how do you implement a policy to "never trust, always verify?"
"Never Trust" = Blocking
Traditional enterprise networks are built as a "shared fabric" for all of the hosts in the enterprise to use (and the applications running on them). That is, the entire corporate network, or at least large parts of it, is treated as one big flat network.
This shared fabric concept means that the entire network is implicitly trusted. Once on the network, you can get to any other machine that's also connected to the network.
Distrusting the network means that a machine needs to treat any traffic coming off that network as though it were compromised. In other words, the machine needs to "cloak" itself by blocking all traffic coming off the shared network. This blocking function, inserting a security service at the point of load, is also commonly known as micro-segmentation.
"Always Verify" = Connecting
A server that is perpetually cloaked from the network is not very useful; the server needs to have some way to interact with other users and machines. The "always verify" clause allows us to establish access, once the identity and security posture of the other host has been verified.
Clearly, there must be some kind of policy mechanism that allows an administrator to define who can access a server, using what access method – or, as Gartner has defined it, Zero Trust Network Access (ZTNA).
Zero Trust = CoIP Access Platform
As we have seen, the core philosophy of Zero Trust can be reduced to the combination of micro-segmentation and ZTNA. CoIP Access Platform performs both functions, cloaking critical assets and servers and then reconnecting them, creating application segmentation with whitelisted controls over which users and machines can communicate with each other.
While other security solutions exist to block via host-based firewalls, CoIP Access Platform's unique overlay approach dramatically streamlines connecting identities and allowed applications. It's not enough to open a host-based firewall port in response to identity authentication; all network firewalls along the path need to be programmed to allow that flow. CoIP Access Platform's Zero Touch overlay approach decouples the policy from the network infrastructure, enabling seamless end-to-end Zero Trust without having to integrate with the existing network and security infrastructure.
In practice, CoIP Access Platform's combination of micro-segmentation and ZTNA makes it simple to cloak critical applications, such as backend database servers, to protect sensitive data from malicious activity while still providing normal application access access, whitelisted from the web and application tiers, as well as privileged user access for database administrators.
For more Zero Trust information, read our Zero Trust, Explained resource.