Use zero trust to fight network technical debt

Adopting a zero-trust approach can be the impetus IT teams need to expose technical debt and make sure all network components are capable of enforcing security controls.

abstract arrows direction process magnifying glass search investigate
Getty Images

Zero trust (ZT) is a mindset and a method, not a technology. The current push to adopt ZT is driven by an urgent and growing need to make a major leap forward in risk management and attack containment in enterprise networks, a need driven home by every successive wave of ransomware. IT can use the urgency of moving to ZT to root out some of the technical debt in the environment. Specifically, it can be a catalyst to find areas exempted from network and network security standards and bring them up to date under the new paradigm of zero trust.

No more exempting network components from access-control roles

In a ZT environment, the network not only doesn’t trust a node new to it, but it also doesn’t trust nodes that are already communicating across it. When a node is first seen by a ZT network, the network will require that the node go through some form of authentication and authorization check. Does it have a valid certificate to prove its identity? Is it allowed to be connected where it is based on that identity? Is it running valid software versions, defensive tools, etc.? It must clear that hurdle before being allowed to communicate across the network.

In addition, the ZT network does not assume that a trust relationship is permanent or context free: Once it is on the network, a node must be authenticated and authorized for every network operation it attempts. After all, it may have been compromised between one operation and the next, or it may have begun acting aberrantly and had its authorizations stripped in the preceding moments, or the user on that machine may have been fired.

This is a radical change to how network professionals have to think about network services. Indeed, many network teams have only recently gotten really comfortable with even basic admission control based on 802.1x, and networks are rife with ports, switches, segments, and subnets that don’t even enforce that basic level of admission control. In many cases, the port/segment/subnet/whatever has been exempted because systems connecting through it—or even the underlying hardware itself—cannot handle the security protocols, or because the folks running that part of the network don’t see a need for that level of security or want to adopt it, or the administrative overhead of implementing and running the system is considered too high.

To continue reading this article register now