The terms network segmentation and Zero Trust are used more and more and have turned into real buzzwords. We are asked more and more often whether or not we can segment the network. What is actually being asked is, can we help set up a Zero Trust environment. Both terms have the right to exist and have enough to offer in the field of security.
Below I will explain what both terms mean and why they are not the same.
Zero Trust is a strategy and a great tool to shape your security. It connects ‘which data (read: crown jewels) do I have’ to ‘which policy (like laws and regulations) do I want to or must I apply to this’. This way, the creation and execution of policy becomes more manageable.
Zero Trust is based on determining microsegments (previously known as MCAPs). Each microsegment is based on a certain type of data, logically accompanied by an appropriate policy. The policy doesn’t limit itself to firewall rules, which is another assumption in the context of micro segmentation, but also describes, for example, that data should be stored encrypted, or that endpoint protection is required.
As a result, the Zero Trust Risk Map – the description of the segments and the policy, largely based on BIV – otherwise known as CIA – score – forms an abstraction of the actual structure. Zero Trust is not only applied in environments where a firewall is available, but is much more widely applicable. Consider, for instance, cloud environments, and namely SaaS solutions.
Once the Zero Trust Risk Map has been drawn up, how the implementation should take place is looked at. For comparison, we can set up laws and regulations, but without enforcement the use of this will be very limited. This is, among other things, where network segmentation comes into play.
Network segmentation is one of the most used ways in which a Zero Trust Risk Map is implemented. But this doesn’t have to be the only thing it’s used for: for example, a policy can dictate that a certain data must explicitly run on its own hardware or that every endpoint within a segment must be equipped with an endpoint-security-solution.
In most cases of network segmentation, it actually divides up the network into multiple network segments, often using VLANs and subnets. Traffic is sent through a next-generation firewall to enforce the specific policy, or part of it. For example, who may access this data and when, using what application. Simply routing the traffic is also network segmentation, but adds little to nothing to security.
Network segmentation can also mean separating traffic flows without actually segmenting the network. This includes solutions such as VMware NSX, Cisco ACI and Nutanix Flow. However, the implementation in this case is more dependent on product and not based on an open standard.
Zero Trust is a strategy that results in a Zero Trust Risk Map, which determines what data must be protected in which way(s). Subsequently, the Zero Trust Map will have to be implemented, and one of the implementation methods is network segmentation. Network segmentation can therefore give substance to the Zero Trust strategy, but is no Zero Trust in itself.