Micro-Segmentation Is Not Zero Trust Alone Or Vice Versa
By Brian Haugli – CEO, SideChannel
Micro-segmentation is not Zero Trust. It is the technology component to realize a Zero Trust strategy. Do not be misled by vendors that an implementation of a micro-segmentation solution equates to have a Zero Trust environment.
What is Zero Trust?
Besides being the latest buzzword, Zero Trust is a concept, not a technology, to be implemented. It is a strategic initiative to create least privilege across all aspects of an organization. It requires the 3 elements of the triad in any program: people, process, and technology. You generally need an inventory of the users in the environment, the applications in place and the supporting infrastructure. Without that inventory, a move towards Zero Trust will be impossible.
What is Micro-segmentation?
The basic requirement is to expressly allow traffic from a source to a destination and deny all other traffic. Micro-segmentation is created by a technology to logically divide a network or access into separate segments. The ideal goal being to contain accesses to only the areas expected. An example would be ensuring that the HR systems are only accessible by HR professionals with a granted appropriate rights and “need to know”. This technique can be used when separating production from development or user groups from each other in flat networks. How it’s enabled, historically, has been through cumbersome VLANs and firewall rulesets.
Frameworks calling for Micro-segmentation
Any reputable cybersecurity program will be built on a recognized standard. Let’s take the NIST Cybersecurity Framework (CSF) v1.1 as the example to highlight where standards and frameworks expect to see micro-segmentation in place. As stated in the introduction, Zero Trust is impossible without an inventory.
NIST CSF calls out the need for inventories in Asset Management (ID.AM) controls; The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. We need to answer the question, “Do we know what we have in our environment that supports our business operations and know their importance?” It’s surprising how many companies do not have this identified, let alone documented or managed well.
NIST CSF goes further in how to protect assets once in an inventory with the Identity Management, Authentication and Access Control (PR.AC) control category; Access to assets is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. Now that an inventory is in place, do we use it to control the access needed for users and applications within the infrastructure?
Specifically, within NIST CSF’s Protective Technology and Access categories, PR.PT-3 calls for the implementation of incorporating least functionality into the configuration of systems providing only essential capabilities. In addition, PR.AC-5 expects that network integrity is protected via segregation or segmentation. This is where micro-segmentation shines on an all-important set of controls.
From the 2021 published book “Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework”.
“Many system components can serve multiple functions, but the principle of least functionality, whereby a device serves a single process (for example, a server can be an email server or a web server but not both combined), can help you better manage authorized privileges to the services the device supports. Moreover, offering multiple services over a single device increases risk… Finally, removing unnecessary ports or protocols can help maximize the least functionality status of your devices.”
An implementation of micro-segmentation reduces the attack surface on environments by removing access to port and protocols that shouldn’t be available.
Threats that exploit lack of micro-segmentation
It’s one thing to build a program based on standards, but we must factor in the threats that are present that the program is built to reduce or stop. Cyber isn’t just addressing the defensive needs or accounting for the offensive threats. Ransomware is prevalent in our society today and an all-too-common news story both locally and nationally. When we look at why it’s so destructive, it’s not the encryption of one system that causes the pain, it is that the impact is across so many systems. This is allowed to happen from flat networks or lack of segmentation between work groups. A properly implemented micro-segmentation technology coupled with a strong managed policy would significantly reduce or even stop ransomware’s lateral movement across an environment.
Where do we go from here?
The first question to answer is whether you have a cyber program built to a standard, such as NIST CSF. Then it’s onto how your organization meeting is each of the applicable controls. As you define your remediations and mitigations, a micro-segmentation solution should make its way into your plan to address identified gaps in controls. These are your first steps in the march towards Zero Trust.
About the Author
Brian Haugli is the CEO at SideChannel. SideChannel is committed to creating top-tier cybersecurity programs for mid-market companies to help them protect their assets. SideChannel employs what it believes to be skilled and experienced talent to harden these companies’ defenses against cybercrime, in its many forms. SideChannel’s team of C-suite level information security officers possess a combined experience of over 400 years in the industry. To date, SideChannel has created more than 50 multi-layered cybersecurity programs for its clients. Learn more at sidechannel.com.
Brian has been driving security programs for two decades and brings a true practitioner’s approach to the industry. He creates a more realistic way to address information security and data protection issues for organizations. He has led programs for the DoD, Pentagon, Intelligence Community, Fortune 500, and many others. Brian is a renowned speaker and expert on NIST guidance, threat intelligence implementations, and strategic organizational initiatives.
Brian can be reached online at (EMAIL, TWITTER, etc..) and at our company website https://sidechannel.com/