NSA's Zero-Trust Guidelines Focus on Segmentation

We Keep you Connected

NSA's Zero-Trust Guidelines Focus on Segmentation

Zero-trust architectures are essential protective measures for the modern enterprise. The latest NSA guidance provides detailed recommendations on how to implement the networking angle of the concept.
March 8, 2024
The US National Security Agency (NSA) delivered its guidelines for zero-trust network security this week, offering a more concrete roadmap towards zero-trust adoption. It's an important effort to try to bridge the gap between desire for and implementation of the concept.
As businesses shift more workloads to the cloud, zero trust computing strategies have moved from a buzzy hype phase to enjoying the status of an essential security approach. But even so, the notion of "untrusted until verified" is still slow to catch on in the real world (although in some areas, such as in the United Arab Emirates, zero trust adoption is accelerating).
John Kindervag, who was the first to define the "zero trust" term  back in 2010 when he was an analyst at Forrester Research, welcomed the NSA's move, noting that "very few organizations have understood the importance of network security controls in building zero-trust environments, and this document goes a long way toward helping organizations understand their value."
Further, "it will greatly help various organizations worldwide more easily understand the value of network security controls and make zero-trust environments easier to build and operationalize," says Kindervag, who last year joined Illumio as its chief evangelist, where he continues to promote the zero-trust concept.
The NSA document contains loads of recommendations on zero trust best practices, including, foundationally, segmenting network traffic to block adversaries from moving around a network and gaining access to critical systems.
The concept isn't new: IT departments have been segmenting their corporate network infrastructure for decades, and Kindervag has been advocating for network segmentation since his original Forrester report, where he said that "all future networks need to be segmented by default."
However, as Carlos Rivera and Heath Mullins from Forrester Research said in their own report from last fall, "no single solution can provide all capabilities needed for an effective zero trust architecture. Gone are the days when enterprises lived and operated within the confines of a traditional perimeter-based network defense."
In the cloud era, zero-trust is exponentially more complex to achieve than it once was. Perhaps that's the reason that less than a third of survey respondents in Akamai's 2023 report on The State of Segmentation from last fall have segmented across more than two critical business areas in the past year.
To ease some of the pain, the NSA walks through how network segmentation controls can be accomplished through a series of steps, including mapping and understanding data flows, and implementing software-defined networking (SDN). Each step will take considerable time and effort to understand what parts of a business network are at risk and how to best protect them.
"The important thing to keep in mind with zero trust is that it's a journey and something that must be implemented using a methodical approach," cautions Garrett Weber, the field CTO of the Enterprise Security Group at Akamai.
Weber also notes that there has been a shift in segmentation strategies. "Up until recently, deploying segmentation was too difficult to do with hardware alone," he says. "Now with the shift to software-based segmentation we're seeing organizations be able to achieve their segmentation goals much easier and more efficiently."
The NSA document also differentiates between macro- and micro-network segmentation. The former controls traffic moving between departments or workgroups, so an IT worker doesn't have access to human resources servers and data, for example.
Micro-segmentation separates traffic further, so that not all employees have the same data access rights unless explicitly required. "This involves isolating users, applications, or workflows into individual network segments to further reduce the attack surface and limit the impact should a breach occur," according to the Akamai report.
Security managers "should take steps to use micro-segmentation to focus on their applications, to ensure that attackers can't bypass controls by subverting single sign on access, using side loaded accounts, or finding ways to expose data to external users," says Brian Soby, the CTO and co-founder at AppOmni.
This helps define security controls by what is needed for each particular workflow, as Akamai's report lays out. "Segmentation is good, but micro-segmentation is better," the authors stated.
It may be a complex endeavor, but juice is worth the squeeze: In Akamai's report, researchers found that "perseverance pays off. Segmentation proved to have a transformative effect on defense for those who had segmented most of their critical assets, enabling them to mitigate and contain ransomware 11 hours faster than those with only one asset segmented."
Kindervag is still advocating for zero trust. Part of its attraction and longevity is because it is a simple concept to grasp: people and endpoints don't get access to services, apps, data, clouds, or files unless they prove they are authorized to do so — and even then, access is only granted for the length of time it's needed.
"Trust is a human emotion," he said. "People didn't understand it when I first proposed it, but it is all about managing danger, rather than risk and plugging holes in your security."
David Strom
Contributing Writer
David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as cybersecurity, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 35 years. He was the editor-in-chief of Network Computing print, Digital Landing.com, and Tom's Hardware.com. He has written two computer networking books and appeared on a number of TV and radio shows explaining technology concepts and trends. He regularly blogs at https://blog.strom.com, and is president of David Strom Inc.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
AI-Driven Testing: Bridging the Software Automation Gap
The Rise of the No-Code Economy
Gcore Radar
Secure Access for Operational Technology at Scale
Threat Intelligence: Data, People and Processes
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
Migrations Playbook for Saving Money with Snyk + AWS
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.