We are closing in on the end of our Zero Trust journey. (For some of you, that cannot happen soon enough!) In this post I return to something that will feel familiar to you: steps to secure your network with Zero Trust principles.
In my last post I talked about securing your infrastructure. Isn’t that the same thing? Not exactly. Today I am focusing more on your network itself: how it is segmented, how it accesses the Internet and whether traffic on it in encrypted or not. Let’s get started.
Is it Easy to Move Around Your Network?
Remember that one principle of Zero Trust is to presume your network has been breached (or at least, could be breached). In working to secure your network, you will want to think about how you can minimize the damage that could occur in the event of a breach. In other words, you (and here is a trendy geek phrase) want to “minimize the blast radius.” (Side note: cybersecurity would be more fun if it did not rely on all these wartime metaphors.)
Here is a non-wartime analogy to try out.
- Imagine that my network is this office building. The front door is unlocked during business hours. Anyone can get in the elevator and go to any floor, just by pressing the right elevator button. Each office suite has a cheap door lock. If someone makes it past the front door of my building, they can get to any office on any floor.
- Now, let’s look at your office building. The front door is open during business hours, but there is a key card access gate that prevents anyone not working in the building from getting to the elevators. When you get to the elevator, you must tap your key card on the card reader before you can press the button for any floor. When you get to your floor, each office door is locked. You can get in with your key card or by requesting access from the receptionist. If someone gets into the building, they are not going to get very far unless they can prove that they belong there.
Whose building sounds more secure?
Secure Your Network by Segmenting It
Look at your network. Have you segmented the network such that applications and services are separated into different network segments? Is the part of your network where you take donations or conduct ecommerce segmented from the rest of the network? Only select staff need to access your financial or human resources systems. It makes sense to segment your network so that only the appropriate people can access those systems.
Look at each network segment and note the segments that are connected to the Internet. That connection looks a lot like an open door to hackers. Ask yourself what a hacker could access if they breached your network at that Internet access point. You can secure your network by putting up some firewalls between Internet-connected segments and the rest of your network.
Also, remember that “your network” does not just mean what is on the premises. Any applications or services you have running in a public cloud like AWS or Azure is also running on a network that you must secure.
If you want to dive deeper into network segmentation, here is a place to start.
Filter Out the Threats You Know. Protect Against the Ones You Don’t
Remember that “assume breach” is one of the principles of Zero Trust. What this means as you secure your network is that you must look for threats that have made it into your network. You cannot just think that your job is done once you have segmented your network.
Here you want to deploy web application firewalls and application gateways. These capabilities allow you to filter out the known threats, based on file signatures, known bad IP addresses and the like. This is like the way that antivirus software filters based on a list of virus and malware signature files.
More advanced application firewalls (Azure has this. I am guessing AWS and Google Cloud do as well.) can filter out threats based on intelligence that they see across their entire network—every customer and data center, not just yours. I continue to evangelize for security services that take advantage of all the threat intelligence they collect to improve security for each customer. Do you evaluate the security of your business based on who tried to break into it? Or do you talk to all the tenants in your business park about their security experiences?
Encrypt (At Least) Your Network’s Internal Traffic
Imagine that a hacker has breached your network. They made it past your segmented network and slipped by the threat monitoring. If the traffic they see is encrypted, the hackers are not going to get much. Secure your network by redirecting HTTP traffic to HTTPS. Use VPN or a virtualized desktop arrangement to connect users with applications.
There is more you can do to secure your network (isn’t that always the case?). But if you take these steps you will made a great start. Hop on it and let me know if you need some advice or assistance.