We’re up to the final post of our Zero Trust series, reviewing the principle of assuming a breach with Zero Trust network segmentation. Our first post looked at least-privileged access, enabling just the right level of access and only at just the right time. Our second post reviewed how logging and monitoring and never trusting a connection heighten your security further by giving you critical insights.
Assuming a Breach Design Philosophy
We’ll first look at what assuming a breach reinforces from the other two principles and then how you can implement Zero Trust network segmentation to further improve your security.
If you build your architecture to assume that a breach has or will happen, then you must also operate by doing your best to mitigate damage from this occurrence. The first step is to control access. Enabling privileged, secure remote access acts as your first barrier.
Looking at our Secure Remote Access Maturity Model reinforces that a strong SRA implementation will reduce the capability of a compromised account to see within your environment, like what endpoints, applications or files exist outside of the compromised user’s role.
The follow up to this defense is to attach logging and monitoring to this access. It isn’t enough to simply control access, you must also know what is being done on your network while it is happening. Therefore, if a user gains access to your network and begins behaving in a way that signals threat behavior, you will know about it. From here you can terminate the connection and have the forensic data needed to track exactly what happened during that connection. The next step is to layer in network segmentation.
What is Zero Trust Network Segmentation
If assuming a breach has or will happen is assuming that your defenses can fail at any point, then this principle calls for more defense beyond what we reviewed above. That is where we look at Zero Trust network segmentation.
A network without any Zero Trust architecture in it may be totally flat. Once in a corporate network, an attacker can easily move laterally to new systems. A segmented network obstructs this freedom of movement by building security zones and redundancies.
We discussed the ISA/IEC 62443 cybersecurity standards in a previous post. These standards were initially introduced in 2002, after ISA’s ANSI-accredited standards department stood up a committee to develop the ISA/IEC 62443 series of standards for automation and control systems.
We cover more than just security architecture in that blog, but we also dive into how the ISA/IEC 62443 architecture helps keep you secure through network segmentation. The architecture revolves around spreading assets into security zones and keeping you protected through three steps:
- Each security zone is determined by its security level, which is assessed after performing risk analyses for the associated assets.
- The zones are then separated from each other by security boundaries.
- This practice adds a layering or redundancy to the architecture, should one security measure fail.
You’ll need to go through the steps of identifying your endpoints, assets, files and other critical elements to your network so you can decide how to structure your security zones and permit access through them.
Once you have done the process of implementing network segmentation, you have not only created those security redundancies in your architecture, but you’ve created additional levels of security through the other two principles of Zero Trust.
Going Beyond Zero Trust
Now that you’ve read our Zero Trust Principles series, you have a better understanding of design philosophies embodied within each of them and how you can take those elements and add them to your own cybersecurity practices.
If you’ve read our other blogs, then you also know that we think it’s important to strive beyond Zero Trust. Zero Trust should be your foundation that you build more sophisticated cybersecurity defense measures on.
We’ll be going through the security principles that take you beyond Zero Trust next, so stay tuned to our updates page so you know how to plan your next steps in building a better defense.