Putting Zero Trust 2.0 into Practice in Five Steps [Part 3: Networks]

Author
Reinhold Zurfluh
Published
14. March 2024

The concept of Zero Trust plays a crucial part in increasing cyber security in today’s distributed working environments at the same time as minimizing internal and external risks. It strengthens cyber security by strictly controlling network access and authenticating every user and every device on every access attempt. The network is not just a transmission path, but a key pillar in the security architecture that is continuously monitored, validated and protected. We want to take a closer look at this in the third part of our blog series.

In our five-part blog series, we’ll show you specific approaches for the practical implementation of Zero Trust 2.0 based on the five pillars of “Identity”, “Devices”, “Networks”, “Applications & Workloads” and “Data”. Did you miss the last part? Here you will find our tips for securing your identities!

Network security minimises cyber risks

In the ever-evolving world of cyber security, protecting the network is of paramount importance in the digital realm. The third pillar of Zero Trust 2.0 – network security – serves as a fortress that surrounds and protects your network by:

  • Preventing insider threats
    In contrast to traditional security concepts, which often only protect the edge of the network, zero trust recognises that threats can also arise internally. Every access is treated as potentially “dangerous” – which accordingly protects against insider threats.
  • Minimizing attack surfaces
    The principle of “never trust, always verify” minimises the attack surfaces within the network. Every access attempt is verified to minimise the risk of undetected intruders.
  • Protecting sensitive data
    As access to resources is strictly controlled, the risk of sensitive data falling into the wrong hands is reduced.
  • Supporting modern working environments
    Zero Trust supports modern, distributed working environments including cloud services and remote working. It offers a consistent approach to security regardless of the location of users and resources.
  • Defending against advanced threats
    As traditional security measures are often not sufficient to protect against advanced threats such as APTs (advanced persistent threats), Zero Trust offers better protection through its constant monitoring and access control.
So there are good reasons to take a closer look at the network from a Zero Trust perspective.

Network security as a fortified wall in Zero Trust 2.0

In this section, we examine the key elements of this pillar and present concrete measures and approaches that you can use to raise your network security to an advanced level while utilizing the potential of existing technologies. To strengthen this pillar, companies should:

  1. Segment the network to isolate critical resources from less critical ones.
  2. The network architecture consists of distributed ingress/egress microperimeters and microsegmentation based on application profiles with dynamic “just-in-time” and “just-enough” connectivity.
  3. Use microsegmentation to create fine-grained access controls within the network.
  4. Use network access control (NAC) to ensure that only trusted devices can access the network. We have already covered this aspect in detail in the first article on “Device security”. You can read it again here if you missed it.
  5. Implement software-defined perimeters (SDP) to hide resources from unauthorised users.
  6. Encrypt applicable internal and external traffic protocols, manage the issue and rotation of keys and certificates and integrate best practices for crypto-agility.

The art of network segmentation

The cornerstone of network security is the microsegmentation of the network. Traditional perimeter protection measures have proven to be insufficient in today’s threat landscape. By microsegmenting your network, you divide it into isolated zones, each with its own security controls. This approach restricts the lateral movement of potential attackers and prevents threats from spreading across your network. To achieve an advanced level of network security, organisations should carefully plan and implement network segmentation strategies.

Microsegmentation for precise control

To further strengthen the defences of your network, you should consider implementing microsegmentation. Microsegmentation is a technique that divides network segments into even smaller, more granular zones. Microsegmentation enables companies to apply highly specific access controls that only allow authorised users or processes to communicate with certain resources. This precise control minimies the attack surface and makes it much more difficult for attackers to move around your network unnoticed.

The capability of software-defined perimeters

The increasing prevalence of cloud services and remote workstations in companies has seen an expansion in conventional network perimeters, making it more difficult for stable security to be maintained. Software-defined perimeters (SDP) offer an effective solution. SDP creates a Zero Trust approach to network security by completely hiding resources from unauthorised users. This is done by authenticating and authorizing users before granting access, regardless of their location. SDP ensures that only trusted people or devices can access your network and resources, making it an essential part of enhanced network security.

Our tips on how you can implement software-defined perimeters in practice

The implementation of software-defined perimeters (SDP), i.e. Zero Trust network access (ZTNA), is critical to ensuring a secure environment and limiting data traffic to the necessary minimum. Practical implementation requires a detailed configuration of identity, application and device classification. Specific measures for implementing these aspects are described below.

1. Identity management

  • Use a centralised identity management system such as Active Directory (AD) or LDAP to manage user identities.
  • Implement multi-factor authentication (MFA) to increase the security of user loginse deep packet inspection (DPI) for precise identification of the applications used.
  • Integrate identity providers (IdPs) for external users to ensure standardised access controls. 

2. Application recognition

  • Use an application delivery controller (ADC) to analyse the data traffic at application level.
  • Use deep packet inspection (DPI) for precise identification of the applications used.
  • Define guidelines for access based on the recognised applications.

3. Device classification

  • Implement network access control (NAC) to classify end devices based on their security status.
  • Use end-point detection and response (EDR) to classify end devices based on their security status.
  • Integrate mobile device management (EDR) for continuous monitoring and analyses of end devices.

4. Combination of criteria in practice

  • Example: Only employees from the “Employees” group are authorised to access the internal data storage server via SMBv3. “Administrators” can also access the server via the “Remote Desktop Protocol/RDP” in addition to SMBv3, but access to other applications is restricted to TCP port 3389.
  • Implement next-generation firewalls to monitor traffic for vulnerabilities, threats and viruses
  • Define access policies based on a combination of user identity, device classification and recognised applications.

5. Security checks

  • Integrate regular security checks to identify vulnerabilities in the network.
  • Implement intrusion detection systems (IDS) and intrusion prevention systems (IPS) for real-time monitoring and protection against attacks.

6. Monitoring and reporting

  • Set up a comprehensive monitoring system to monitor network traffic and access in real time.
  • Create detailed reports on access activities and security event.

By integrating these measures, you can implement an effective ZTNA approach that ensures that only authorised users with trusted devices can access the applications they need.

Would you like to know your state of Zero Trust readiness?

The InfoGuard “Zero Trust Readiness Assessment” is precisely the right starting point for identifying the risks and any weaknesses in the current zero trust strategy and its implementation! Among other things, we’ll show you which good practices have not yet been sufficiently defined or implemented in your Zero Trust strategy. Discrepancies are assessed in terms of their risk-criticality. Prioritised recommendations for action are developed on this basis and presented in the form of a solution path. Interested? Then let’s have a no-obligation chat.

Zero Trust Readiness Assessment

Zero Trust – the next step is “data security”…

To summarise, comprehensive network security strengthens the secure boundaries of your digital realm. By segmenting the network, introducing microsegmentation for precise control, implementing software-defined perimeters and maintaining a proactive approach to vulnerability assessment and patch management, organisations can secure their network perimeter to a high level.

In the next and fourth part of our blog series, we’ll take an in-depth look at data security and highlight the specific measures and approaches for protecting your company’s most important asset – your data. Something to look forward to!

Would you like to deepen your insight?

Our blog series "Zero Trust 2.0 - Implemented in 5 steps" gives you a complete 360° perspective:

Part 1: Device security
Part 2: Identity management
Part 3: Network security
Part 4: Data security
Part 5: Analytics and automation

We wish you an inspiring read.

Share article