How to build a zero-trust network in 4 steps
While network teams are responsible for deploying the elements of a zero-trust network, security teams should also be involved in developing the overall zero-trust framework.
Zero-trust frameworks comprise multiple security elements, and one of those elements is the network. It is responsible for creating the physical and logical perimeter that separates the trusted infrastructure from untrusted devices and end users.
Network connectivity includes the LAN, wireless LAN, WAN and all remote access connectivity. The proper procedures, controls and technology must be put in place within each of these network segments to safely manage application and data access.
Let's look at a few ways network and security teams can accomplish zero trust within an enterprise network.
1. Identify users and devices
The first step in building a zero-trust network is to identify who's attempting to connect to the network. Most organizations use one or more types of identity and access management tools to accomplish this goal. Users or autonomous devices must prove who or what they are using authentication methods such as a password or multifactor authentication. For end users, it's important that this process be simple, seamless and uniform, no matter where, when and how they are connecting.
2. Set up access controls and microsegmentation
Once a zero-trust framework successfully identifies a user or device, it must have controls in place to grant application, file and service access to only what is absolutely required. Depending on the technology used, access control can be completely based on user identity, or it can incorporate some form of network segmentation in addition to user and device identification. This is known as microsegmentation, which is used to create highly granular and secure subsets within a network where the user or device can connect and access only the resources and services it needs.
Microsegmentation is great from a security perspective because it significantly reduces negative effects on an infrastructure if a compromise occurs. Next-generation firewalls are the most common technology used to create and control microsegmentations within a corporate network. These firewalls offer network visibility all the way to the application layer of the OSI model, or Layer 7. Teams can therefore build and manage logical access policy around each application that runs over the network.
3. Deploy continuous network monitoring and alerting
Proper monitoring of device behavior is another aspect of a zero-trust network. Once access is granted, teams should deploy tools that continuously monitor a device's behavior on the network. Knowing who or what the user or device is talking to and at what frequency can determine whether things are operating normally or if malicious behavior is occurring. Modern tools, such as network detection and response or AIOps platforms, can assist with network monitoring and threat identification, prioritization and alerting using AI, machine learning, and data analysis.
4. Consider remote access
Remote access is an increasingly important part of any corporate network infrastructure. Legacy remote access VPN connectivity has proven cumbersome and inefficient in an era of cloud/edge computing and remote workforces. Additionally, VPN access controls enabled far too much network access than what enterprises needed, turning remote access into a major security risk over the years.
To remedy this problem, suppliers released new remote access methods and services to bring remote connectivity back in line with a zero-trust methodology. The benefits of these zero-trust and remote access methods include the following:
- improved authentication;
- the ability to microsegment all remote access users;
- increased visibility, monitoring and logging; and
- the ability to centrally control all access both on premises and in the cloud.
While enterprises still require remote access VPNs for secure connectivity, VPNs are drastically changing to meet the changing needs of an organization.
Who should manage a zero-trust network?
When enterprise IT organizations start building zero trust within their infrastructure, the first question they often ask is, "Who should manage the zero-trust network components?" This isn't an easy question to answer because much of the answer has to do with how the IT department is structured and who is more capable of handling certain tasks.
Security teams should develop and maintain the overall zero-trust security posture. That said, network teams should deploy and manage certain parts of the framework, such as network infrastructure tools and services. The network team likely has more experience configuring and managing the network tools that make up the zero-trust network, including network switches, routers, firewalls, remote access VPNs and network monitoring tools. While these roles and tasks may fall into the hands of the network team, it's important that the security team perform regular audits to ensure the network properly adheres to all processes that make up the entire zero-trust framework.