Securing your organization’s network infrastructure has become increasingly complex. Statistically, 90% of the data your organization is currently storing was created in just the past two years. That data is being stored primarily on mobile devices and in the cloud. Your data is essential to your company and therefore needs to be protected. 

Add to that, nearly all enterprise devices are mobile. Half the time, they’re off of the network. There are more users and data outside the network than inside of it. Today, 85% of all enterprise-level traffic has moved off of static websites and to the cloud. Thus, the traditional networking approach of data security solutions is no longer as effective as it once was.

Why is developing a Zero Trust Network the best strategy to protect both your data and your entire network? Here’s why: The traditional network perimeter is dissolving, its imperative that you look at perimeter protection in a brand new way. It would be best if you had a perimeter that protects both devices and people, no matter where they exist.

The Traditional Network Security Approach

Zero_TrustIn a standard networking topology, you have four walls of the data center and a single egress/ingress point. Here is where all of your data comes in and goes out of your data center. Typically, this is where you would deploy your network middleware appliances. Your firewall, layer 4, layer 7, IDS, IDP, SIEM systems – all being used to filter the traffic that is coming in and going out of your data center.

The goal here is to create a distinction. Everything on the outside of your network is bad. It has not been vetted and, therefore, cannot be trusted. Anything that has made it through the onslaught of security checks at the front door can be trusted. 

Once inside, all traffic and connection requests are permitted because they have been cleared and deemed to be ‘trusted.’ The danger exists in that if hackers can make it past the security checks too, they would be considered ‘trusted’ as well and can then move about freely.

What About the Other Front Doors?

The problem is that the traditional network security approach assumes that there is a single front door. However, the reality is that there are multiple front doors. Of course, there is an actual ingress/egress point where the primary traffic flows in and out. But there are numerous points of entry, or front doors, which need to be locked at all times.

Hackers understand that there are multiple points of entry; or many front doors. They don’t care about which one they pry open. They don’t even care if someone on the inside opens a door for them. They’re only concern is getting in. Hackers know once they get in, they’ll have access to everything.

Friendly Fire

Not all attacks come from the outside, from an unknown enemy. Ironically, most attacks are carried out from the inside. They come from employees, contractors, or subcontractors who’ve been given permissions and have been granted access to the network. Through poor judgment, they likely clicked on an attachment to an email, thereby allowing a hacker to enter the trusted environment of your network. 

The Zero Trust Network Model

The Zero Trust Architecture does not automatically assume that systems, devices, or services, should be accepted simply because they’re on the inside. With this model, nothing is ever trusted. The assumption is always that a hacker is trying to enter and launch an attack. Zero Trust means anything and everything inside the network that attempts to connect must be verified before access is granted. 

Zero Trust requires identities are assigned between everything connected to the network. A determination must be made regarding who is allowed to talk to those on the network. The rules for this communication must be enforced for all devices. This level of identity goes beyond the capabilities of a firewall because firewalls are limited to IPs and Ports. A more logic-based service identity is needed.

For example, if two services want to communicate with each other across the network, there must be a mutual TLS connection. Both services must provide a certificate verifying their identity. But verifying identifies is only the first step. Next, there needs to an authorization process. The question now becomes: Are these two services authorized to communicate with each other? In a Zero Trust model, a higher level of checks and balances across the network occurs.

Adopting a Zero Trust network is the best defense against multiple entry points (front doors) to your network. Getting inside the network doesn’t mean anything. It’s similar to a burglar breaking a window, the front door, or the back door to your house, only to find every single item in your home is lockdown and cannot be removed. There would be nothing for them to take. Getting inside your home means nothing. 

A Zero Trust network is a highly effective way to secure your network. It doesn’t matter if a hacker is sitting inside the network. Without a certificate verifying their identity, and without authorization, they cannot communicate with other services inside the network.