Applications and databases play vital roles for organizations hosting services and consumers accessing data resources – and protecting them is a top priority for any data center.
Connected to an internet full of hackers, billions of devices, and malware, networks are vulnerable to an array of web-based threats. Not long ago, the priority for network security was securing the network perimeter, but forces like remote work and the widespread adoption of cloud and edge computing make defending the perimeter increasingly tricky.
It’s no longer a question of if malicious actors can gain access. It’s whether they’re able to move laterally within the network when they do. As zero trust has evolved from buzzword to product in the last decade, a consensus has emerged that microsegmentation-based framework is the surest defense against the next generation of threats. To preserve server security, zero trust ensures intruders will never reach an organization’s crown jewels.
Here we look at why zero trust is a significant boost to application and database security and how to adopt a zero trust architecture.
Why zero trust?
Networks Security Tools Are Essential
Downtime, machine failure, and cyberattacks can be devastating to organizations. When data is offline or unavailable, personnel and customers alike aren’t pleased. Knowing this, administrators secure the network with a suite of software and security tools to keep the network running and data available. For the data center, power redundancy and backup and disaster recovery solutions are essential protections.
Active Priority: Internal Network Security
Another crucial example of a network tool are traditional firewalls placed at the network edge to prevent intruders and malicious packets from gaining entry. As the perimeter has long been a cybersecurity priority, security policies inside the network and traffic between network segments changed little. As the years transformed network perimeters, accessing a network gateway has never been easier.
Also Read: SASE: Securing the Network Edge
A malicious actor can move laterally through the network with initial access, escalate privileges, and compromise sensitive data. Several attacks this year, including the SolarWinds Orion breach, showed how skilled advanced persistent threats (APT) could mask their activity while spreading malware across network systems.
Remove Trust Without Disrupting Business
In reversing the paradigm of designing devices to inherently trust other devices [allow all], zero trust calls for granular controls between network segments and eventually a day where only pre-categorized traffic is permissible [deny all]. Because SMB up to large enterprise organizations requires extensive data and application sharing capabilities, the network architect’s objective isn’t to disrupt business-critical access – instead, ensure abnormal traffic gets identified and managed.
By following the steps provided, network stakeholders can ensure that the organization’s most important assets are secure, maximize visibility into network traffic, and adjust control policies to maintain regular business.
How to implement zero trust
Identify Protect Surfaces, Users, and Privileges
Today’s network perimeter is rarely still. From the rise of remote work to the boom in endpoint devices in use, protecting an organization’s attack surface is no longer entirely possible.
Network administrators need to take a bird’s eye view of their network and define where the most critical data and resources reside. Dubbed the protect surface, every organization has network segments vital to business continuity that likely deserve more substantial security than other segments. The Applications with client data, operational technology (OT) that controls industrial processes, and Active Directory come to mind.
With protect surfaces identified, the process of defining users and privileges begins. Who is accessing what resources? Does a user with initial access have access to the whole network segment or just a fraction of the data resources within an application?
Also Read: Top IAM Tools & Solutions for 2021
Map Flows of Sensitive Data and Resources
Applications and databases are responsible for storing and transmitting critical data across global networks. When resources move from defined protect surfaces, the flow, destination, device, time, location, user and role are all data points administrators need to inform next steps.
An image of how malicious actors could access your most important data and system controls will appear when analyzing how data moves. Equipped with valuable insight into traffic flows and vulnerabilities, administrators can start to test their findings.
Deploy Microsegmentation via Network Fabric, Hypervisor, or Firewalls
At the heart of zero trust in practice is microsegmentation, the act of segmenting network components to ensure appropriate access levels for the relevant data resources.
The network fabric makes enforcing access betweens segments in your infrastructure seamless for data centers and software-defined data centers. By contrast, network fabrics aren’t ideal for microsegmentation in cloud environments. Fit for an SDDC environment, a virtual machine manager, also known as a hypervisor, can serve as an enforcement point for comprehensive network management.
And last but not least, next-generation firewalls (NGFW) are a popular choice for implementing microsegmentation because of their flexibility in deployment. Across environments, NGFWs can form a distributed internal layer of security throughout the network.
Also Read: Top Firewall (NGFW) Vendors 2021
Configure Policies for Appropriate Resource Flows
No matter the microsegmentation route, administrators now can establish granular policy rules based on their prior findings. Essential information for establishing valid policies include clearly defining:
- Who has access to what data resources?
- What application is accessing sensitive data?
- When are the resources accessed?
- Where are data resources moving to in-network?
- Why is this user accessing this sensitive resource?
- How is the packet accessing the resource?
With the organization network mapped out, all packets, users, privileges, and protect surfaces defined, it’s time to configure policies to reflect an optimized security approach. Applying these policies can be one application at a time or en masse once it’s found successful. Administrators can then test flipping the trust switch for the first time. From allowing all to denying all traffic – except what’s prescribed – the network’s taken a giant leap.
Monitor, Adjust, Enhance
Flipping the trust switch comes with its share of hiccups. As key personnel and clients begin using the network in its zero trust infrastructure, the IT department is sure to see a rise in technical support requests. Every request for greater access informs network and database administrators on adjusting controls to reflect the living organization’s security framework. Monitor these requests and continue to track how sensitive data moves to optimize changes to policies.
Also Read: Top Rack Servers of 2021
Zero trust framework: Different for each network
There are no one-size-fits-all zero trust solutions. While vendors offer support, insight, and experience in implementing zero trust, a zero trust framework is custom to the organization and network it serves. With that in mind, the process for implementation described above isn’t concrete. Organizations with initiative can take steps today to start the process of building a zero trust network architecture.
An investment in the future
Zero trust covers the gamut of the OSI model to protect the organization’s digital infrastructure. Implementing zero trust from network to application layers, databases, and software programs gives stakeholders the visibility to feel confident about the organization’s security posture.
While an intimidating endeavor, moving towards zero trust is a process worth initiating to organize and secure your organization’s data resources for years to come.
While databases and applications have long been mainstream components of the enterprise network, security services for protecting them are still a complex marketplace. To learn more about the industry, check out eSecurity Planet’s Top Database Security Solutions for 2021.
Also Read: Best Load Balancers of 2021