Zero Trust x segmentation

THE POWER OF TRADITIONAL APPROACH IN A MODERN ERA

TL; DR

  • The rise of Zero Trust overshadows the importance of infrastructure segmentation. However, they act at different layers and serve to reinforce each other
  • It is their complementarity that enables a robust in-depth defense
  • Zero Trust resides at IAM (Identity & Access Management) layer and control access at application workload and endpoint level
  • Segmentation consists in dividing your network in smaller units and establishing filtering rules between so-called segments thereby blocking lateral movement
  • Zero Trust without proper network segmentation is like putting keys on every drawer in the house while keeping doors and windows opened, effectiveness remains limited
  • Beyond a structural security of business assets, segmentation brings a strategic lever to respond efficiently (maximizing impact at low costs) to new regulatory requirements (NIS2, DORA…)
  • Last but not least, segmentation is also an answer for legacy & OT aging environments on which Zero Trust is harder to deploy
  • Optistream NetTwin is a global toolbox to manage a robust segmentation at no cost with an interactive IT map, automatic security analysis and a remediation studio with business-driven KPI

TL; DR

  • The rise of Zero Trust overshadows the importance of infrastructure segmentation. However, they act at different layers and serve to reinforce each other
  • It is their complementarity that enables a robust in-depth defense
  • Zero Trust resides at IAM (Identity & Access Management) layer and control access at application workload and endpoint level
  • Segmentation consists in dividing your network in smaller units and establishing filtering rules between so-called segments thereby blocking lateral movement
  • Zero Trust without proper network segmentation is like putting keys on every drawer in the house while keeping doors and windows opened, effectiveness remains limited
  • Beyond a structural security of business assets, segmentation brings a strategic lever to respond efficiently (maximizing impact at low costs) to new regulatory requirements (NIS2, DORA…)
  • Last but not least, segmentation is also an answer for legacy & OT aging environments on which Zero Trust is harder to deploy
  • Optistream NetTwin is a global toolbox to manage a robust segmentation at no cost with an interactive IT map, automatic security analysis and a remediation studio with business-driven KPI

Introduction

Perimeter security (or "segmentation") has been the network security standard for many years. It consists in splitting the information system (IS) into physical or logical segments (subnets/VLAN) with filtering rules between them.

Nowadays perimeter security is often seen as old school. With IT that are increasingly integrated with external scope, the traditional image of Middle-Age castle is obviously outdated. However, the segmentation principles remain fully relevant in this integrated era and come with several upsides.

ZeroTrust segmentation

In addition to simplifying the IS into logical zone easy to manage and relatively stable, segmentation is the most efficient way to functionally isolate, for the lowest cost possible, different business units and critical assets from other network segments in case of compromission. This contains structurally potential attacks within isolated areas and prevents lateral movement through your network, hence reducing the risk of a threat actor accessing your most sensitive data within your organization.

We’ll show that despite new security paradigms coming out through new digital ages (remote work, digital nomadism) and emerging security threats, segmentation remains a critical approach to secure powerfully your networks.

Zero Trust

Last years had been momentum where digital nomadism and new security threats called to take additional security measures, fostering the rise of Zero Trust.

Zero Trust (or ZTNA – Zero Trust Network Access) is an IT security model that challenges the traditional assumption that once users and devices are inside the network, they can be automatically trusted. This model sets the “don’t blindly trust” paradigm whereby each resources access is evaluated according to (i) an identity, (ii) a context and (iii) the behavior of users or devices. Trust is granted according to explicit contextual granular rules even for entities connected to the network.

In a world with an increasing share of SaaS solution, with no access to the underlying architecture, Zero-Trust is this way a highly relevant mechanism.

Furthermore, just like segmentation, Zero Trust also aims to enhance security by limiting the lateral movement of threats inside your network. However, it relies on a higher layer, namely Identity & Access Management (IAM) whereas the former acts on physical and logical levels. Zero Trust reduces the attack surface by ensuring that only authorized users and devices can access the necessary resources, regardless of their location in the network.

Zero Trust = Do not trust Zero Trust

An all-in-one Zero Trust solution that we can blindly trust on which the entire IS security can uniquely rely on doesn’t exist.

Indeed, as any other IT technologies, we must consider scenarios where Zero Trust solutions and IAM layer are compromised. These solutions may introduce vulnerabilities in your IS, or could be badly implemented (e.g. bad configuration): human-factor still exists. This could be dangerous and give companies a false sense of security.

While IAM undoubtedly plays a fundamental role in Zero Trust, the constant verification of users’ identities may appear ineffective in cases of stolen identity. Attackers can leverage techniques to circumvent security checks by manipulating contextual information, such as the geolocation origin of a login attempt, using a spoofed address (e.g. VPN, TOR). Moreover, MFA (Multi-Factor Authentication) – while mandatory – can’t prevent all IAM vulnerabilities. Such solutions may be vulnerable to targeted attack1 and some protocols or specific accesses might be ineligible to this security lever.

Vulnerabilities aside, the impact of Zero-Trust is at full power when managed across the organization at endpoints and application level, keeping the "unit of trust" at the lowest scale possible. This micro-segmentation comes with a heavy weight of overhead to manage flawlessly all possible considering all possible options (endpoint x employee). It also requires a tremendous level of maturity.

For all these reasons, you must anticipate the case where IAM layer is compromised by still adopting the perimeter security strategy. As such, an “hybrid” approach prevents these kinds of vulnerabilities from turning into a major security crisis.

1 An example of a Zero Trust solution vulnerability will soon be released by Optistream

Hybrid approach for in-depth defense: unlocking the best of both worlds

Zero Trust and network segmentation are complementary approaches to IT security. While Zero Trust focuses on challenging the implicit trust placed in users and devices, network segmentation physically or logically divides the network into distinct zones to limit the lateral movement of threats on the lower layers (OSI model).

By dividing the network into segments, each can be treated as a relatively autonomous trust enclave. Zero Trust can then be applied to each segment, with specific security policies implementing the necessary access permissions and security controls, based on the identity and context of users and devices.

Firstly, network segmentation is an effective method to limit movement of an attacker trying to access your most critical business assets once inside – whatever its credentials or authority level. Secondly, Zero Trust ensures that the user requesting access is trusted at the application workload level.

“First build your digital fortress then apply control access on each door”
Zero Trust pyramid
Segmentation & Zero Trust work together

As per in-depth security, you can’t rely on a unique strategy. The complementary of both spanning over different layers is a good answer for in-depth security.

Zero Trust is not intended to replace network segmentation, but complement it as seen previously. In this way, NIST[1] encourages hybrid form of IS: a model halfway between the Zero Trust and perimeter models. Moreover, French national cybersecurity agency ANSSI warns[2] about the danger of leaving apart network segmentation approach:

“Zero Trust, if interpreted to break with the traditional perimeter model, is likely to increase vulnerabilities.” (ANSSI)

Segmentation: first step to Zero Trust

A well-designed network segmentation is an essential element for a robust Zero Trust strategy, providing secured and robust foundations.

It also helps at reducing cost and complexity. While Zero Trust may appear to require constant monitoring and auditing, network segmentation actually simplifies this task by reducing the scope of what needs to be monitored. By limiting interactions between segments, it is easier to implement and maintain the necessary security controls.

Legacy

When it comes to introducing Zero Trust into an IT environment, it is essential to consider the legacy of the existing infrastructure.

Such systems, which are often complex and interconnected, can represent a major challenge when implementing Zero Trust because of their architecture and potential vulnerabilities. Old generation systems can make Zero Trust even more difficult to implement, particularly by introducing compatibility issues.

One notable example is OT (Operational Technology), where security lags behind by more than a decade. Industrial systems (ICS – Industrial Control Systems), which are sometimes disconnected from the Internet and run on OSes that are now deprecated, are often unable to implement the technologies required for such a transition. In the context of industrial systems, security models exist such as the PURDUE[3] which provides a preliminary approach to functionally decoupling OT environments and helps to set up an appropriate network segmentation.

This strengthens even more the importance of network segmentation, particularly in the context of legacy systems, and argues towards a gradual transition to Zero Trust.

“This transformation must be progressive and controlled to ensure the protection of the data and assets processed and not weaken the historical information system(ANSSI)

Cloud

If we saw that Zero-Trust fits well with SaaS solutions, IaaS and PaaS are different beasts.

Network segmentation remains pertinent in cloud computing as it is in on-premises environments, if not more so. In fact, in the cloud, where resources are often dynamic and highly elastic, segmentation makes it possible to strengthen security by limiting access to sensitive resources and reducing the potential attack surface, this should be considered even before application of Zero Trust.

Using AWS as an example, segmentation can take place at different levels: security groups, network access control lists (ACLs), private subnets, services such as AWS Transit Gateway to manage connectivity between VPCs (Virtual Private Clouds). Appropriate network segmentation makes it possible to separate workloads, limit communications between the various components and better control data flows, thereby strengthening security and compliance in the AWS cloud.

Lateral movement inside AWS cloud environment - NetTwin

New regulatory challenges

With a regard to security compliance, the combination of Zero Trust and network segmentation can help businesses comply with certain data protection regulatory requirements. By providing a multi-layered approach to security, organizations can better meet compliance standards such as RGPD, HIPAA or PCI DSS.

NIS2[4] and DORA[5] are incoming regulations for global IT security and operational resilience. NIS2 concerns EU and will become mandatory by the end of 2024. The EU-initiated regulation DORA is scheduled to come into force in the EU member states by early 2025 with the objective of enhancing the resilience of the financial sector to IT security risks and incident response.

The implementation of network segmentation can help tremendously in the fulfilment of numerous regulatory requirements. Indeed, taking the example of DORA and resiliency challenges, having a perfect control over your segmentation can help you answer to this critical question:

“If a given server falls under the control of a hacker, how can he navigate within the IT and what business damages can he causes?

Notably, segmentation helps at responding to these new exigences on the following points:

Naturally, the adoption of an additional IAM security layer reinforces the effectiveness of this approach.

Hence, segmentation remains an unavoidable tool for addressing new incoming regulatory requirements and is even more powerful when coupled with Zero Trust.

Optistream: a global toolbox for your infrastructure security

Segmentation is key, but segmenting properly is not that easy.

For this overall goal, Optistream NetTwin solution mainly helps at:

To build an efficient defense of your critical assets, the need to have a proper and up-to-date map of your infrastructure can’t be overstated. Having this holistic view is the pre-requisite for being aware of your weakest points, understanding how one can impact another and targeting remediation where it matters the most.

Studies revealed that usage of IS mapping and asset management solutions are essential to reduce the impact of attacks. For this purpose, NetTwin is able to visually build your IS "digital twin" by ingesting your devices configuration files and CMDB extracts.

Optistream SCADA OT digital twin
Digital twin

Not only NetTwin automatically build your map, but it also builds underneath a Digital Twin of your infrastructure. A virtual copy that mimics the behavior of your production.

Hence, NetTwin offers a virtual playground where you can assess your segmentation by using our advanced analysis algorithms (e.g. segmentation porosity or in-depth infiltration). This gives you a clear view on different network attack paths a threat actor can leverage to move inside your IS so you can observe how your critical assets (e.g. application, database) can be reached from any point of your network.

Finding vulnerabilities is a good, but fixing them at low cost is better. To do so, NetTwin proposes a remediation platform to change "on-the-fly" your filtering rules and to measure your improvements with business-driven KPIs. To make sure one doesn’t impact legitimate flows, the studio also provides an automatic control of security policy compliance and business application accessibility.

Last but not least, NetTwin technology-agnostic network engine makes it possible to work with either on-premises or cloud environments.

As such, NetTwin provides all the required lever to continuously ensure the best level of segmentation without jeopardizing business operations.

Conclusion

We’ve seen that, together, segmentation and Zero Trust strengthen in-depth security by limiting the lateral movements of threats within the network, reducing the overall attack surface.

While segmentation approach brings you physical network partitioning and blocks network attack paths, Zero Trust applies a granular filtering strategy relying on identity level.

They both behaves at different layers, obscuring one of them put your IS in danger. These two paradigms are not mutually exclusive, they complement and push you forward new regulatory compliancy.

“[Zero Trust] must integrate into an overall defense system without replacing it” (ANSSI)

Links

[1] https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
[2] https://cyber.gouv.fr/en/publications/anssi-views-zero-trust-model
[3] https://www.sans.org/white-papers/36327/
[4] https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333
[5] https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en