How do you apply a zero-trust security policy to UC?

Authentication and authorization

As it stands today, a zero-trust security policy focuses on user identity, authentication, device posturing and granular access control of users and devices attempting to reach corporate applications and services. In many cases, multifactor authentication (MFA), combined with single sign-on (SSO), has become the de-facto access management standard because it beefs up security without creating login fatigue for users.

With zero trust, once a successful authentication is complete, users and devices have access to only those applications and services explicitly permitted. SSO's centralized access control gives IT teams the ability to manage access policies across all UC services.

From a UC user access perspective, authentication, device posture checks, encryption and detailed logging are applied across the board for all users, regardless of whether they are working remotely or directly on the corporate LAN. This protection covers not just the LAN, but workload communications inside data centers and clouds as well.

Protecting communications across users, devices, apps and workloads

Keep in mind that zero trust is typically implemented on a corporate network for all critical business applications, data and services within an enterprise -- including UC. On the LAN, lateral movement is restricted through traditional network segmentation via virtual LANs (VLANs) and access control lists on routers and switches. Microsegmentation, another tactic, is challenging because the ongoing management of intricate ACLs across numerous devices can become cumbersome, even with available tools.

A more modern approach to preventing lateral movement within the LAN that better safeguards UC and other services involves replacing traditional VLANs -- and their security limitations tied to broadcast domains -- with a LAN that operates entirely at Layer 3.

Doing so ensures that devices cannot communicate laterally without their traffic first being routed through a firewall. It centralizes lateral movement access control, with the firewall serving as the primary enforcer of access control policies.

A number of security functions must also occur on the back end to secure workflows within data centers and clouds. VM security policies, for example, can be created through hypervisor-based micro-segmentation. This enables microsegments to be created without the need for physical network changes. Public cloud service providers also offer their own native segmentation capabilities to deliver zero-trust microsegmentation across cloud environments.

Finally, workload-based microsegmentation policies can isolate services within a cloud or data center to prevent unauthorized access or lateral movement threats.

Blocking the flow

Administrators seeking to fortify their UC environment with a zero-trust security policy should take the same approach they do when securing any critical business service. The key is to examine the complete communications flow between users and services as well as workload flows between UC application servers residing in data centers or the cloud.

Editor's note: This article was updated in December 2024 to expand information and improve the reader experience.

Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.