Organizations across all industries experienced a surge of ransomware attacks last year as cybercriminals extracted $1.1 billion in payments from victims. To thwart these bad actors and improve network security, the National Security Agency (NSA) released a new cybersecurity information sheet: “Advancing Zero-Trust Maturity Throughout the Network and Environment Pillar.”
As the creator of zero-trust, I’m pleased to see the NSA’s document emphasizes a paramount, yet frequently overlooked element of zero-trust security: segmentation.
I have long advocated that segmentation stands as the fundamental essence of zero-trust. However, in recent years, there has been a noticeable tilt toward the Identity pillar of zero-trust, leaving network security controls vulnerable both on-premises and in the cloud.
As the attack surface expands and the digital landscape grows increasingly interconnected, segmentation of on-premise networks, cloud, multi-cloud, and hybrid environments becomes imperative for organizations to fortify resilience and establish enduring zero-trust architectures.
The NSA also recognizes the importance of "data flow mapping." Flow mapping has been a focal point of my zero-trust advocacy since its early days. Understanding system interconnections is essential for successfully architecting zero-trust environments.
NSA’s document also underscores the significance of network security technologies in establishing a zero-trust environment. Organizations, whether on-premise or in various cloud environments have largely overlooked the importance of network security controls. I think of network security as the cornerstone of zero-trust, particularly in combating ransomware attacks that jeopardize essential services and disrupt everyday life.
The NSA has reaffirmed this pivotal role of network security, finally granting zero-trust segmentation (ZTS) the recognition it deserves. This guidance should help organizations comprehend the importance of the Network pillar within zero-trust and encourage them to pursue network security technologies as they progress toward implementing a zero-trust architecture.
What lies ahead for zero-trust
As global connectivity grows, the attack surface expands. That’s why it’s imperative for organizations to delineate, map, and fortify their most critical Protect Surfaces within their zero-trust environments.
I hope the NSA’s recommendations convince more organizations to implement zero-trust as they cope with the ever-changing cybersecurity landscape. These zero-trust principles have become mainstream across various industries and organizations of different sizes. As cyber threats evolve, more companies will recognize the need to implement a zero-trust approach to protect their digital assets.
Here are my recommendations for how to implement zero-trust effectively:
- Deploy continuous authentication: Stop relying on traditional security models focused on perimeter defense and static authentication methods— they are outdated and ineffective. Zero-trust emphasizes continuous authentication and authorization. In the future, this could involve more advanced biometric authentication, behavior analytics, and machine learning algorithms to assess and adapt to risks continuously.
- Integrate with cloud and edge computing: With the rising adoption of cloud and edge computing, integrate zero-trust principles across these distributed architectures while also exploring how to utilize cloud-native security solutions.
- Embrace API-centric security: With the growing prevalence of microservices and API-driven architectures, zero-trust principles extend beyond traditional network boundaries to secure interactions between services and APIs. That could involve implementing granular access controls, encryption, and authentication mechanisms for API communication.
- Balance security with privacy considerations: Because privacy implications are scrutinized more closely, zero-trust implementation will need to balance security requirements with privacy concerns to ensure the enforcement of access controls without compromising individual privacy rights.
- Align with data protection regs: Teams must ensure their zero-trust implementations align with data protection regulations such as GDPR and CCPA, which could potentially require additional safeguards to protect sensitive data and demonstrate compliance.
I commend the NSA for issuing its latest guidance because it’s a significant endorsement of the effectiveness and significance of ZTS, offering invaluable guidance for organizations seeking to fortify their cyber resilience amid the ever-changing threat landscape. It’s impossible to prevent all cyberattacks, but implementing a zero-trust model will significantly reduce the potential damage and strengthen any organization’s security posture.
John Kindervag, chief evangelist, Illumio
