Developing Zero-Trust Designs: Using Microsegmentation

Sometimes dismissed as a “security term” and therefore ignored by many, it is a design blueprint that is a critical tool to defend against cyber attacks. As we noted in our latest TechnoVision 2024 release: "Technology Businesses must be trusted by customers, clients, shareholders, employees, partners, networks, and authorities alike — or there is no business". In my view it is very important to consider microservices when it comes to IT design.

Introduction

In principle, microsegmentation refers to the ability to segment compute, storage, and network into one virtual zone to control in and outbound traffic in both north-south as well as east-west direction.

The main aim of microsegmentation is to significantly increase security by containing threats within a small(er) area, essentially containing the threat.

It follows that Zero Trust approach, meaning “never trust, always verify” (the term "zero trust" was coined by Stephen Paul Marsh in his doctoral thesis on computer security at the University of Stirling back in 1994). 

Background

Breaches in security are well documented in the press nowadays, and with the increase of digital (in particularly automation and full connectivity) attacks exploiting unknown vulnerabilities are one of the key threats’ organizations must protect themselves against.

In a 2020 Forrester study, SQL injections, exploring lost or stolen assets, malware and exploiting software vulnerabilities are the most common external attacks.

With the rise of so-called “Exploit Kit’s” many environments are increasingly at risk of being successfully attacked without identification. At the time of writing the CISA (US Cybersecurity & Infrastructure Security Agency) reports just over 1000 known (used / exploited) vulnerabilities across 167 different vendors. Stopping an attack that us using an exploit – like running a remote admin command on a host without providing an admin password – is only possible if that exploit is known at the time of attack. If the attacker is exploiting an unknown vulnerability organization are blind and there is a possibility of further internal attacks from within.

Some attackers wait hours, days of even weeks to exploit a successful breach by installing command & control center to try and attack hosts that are reachable within their trusted zones.

In 2020, malware attacks increased 358% compared to 2019. From here, cyber-attacks globally increased by 125% through 2021, and increasing volumes of cyber-attacks continued to threaten businesses and individuals.

In November 2023 the World Economic Forum reported the biggest-ever DDoS attack (distributed denial of service) worldwide. At its peak Google mitigated a DDoS attack that peaked at 398 million requests per second.

Looking at this trend and the fact that software is becoming more and more important to any organization, companies must better equip themselves to minimize the impact of a cyberattack in order to increase their business resilience.

And applying a Zero Trust approach is a key ally for any organization today. 

What is Zero Trust?

The Zero Trust approach is trying to address this by promoting “never trust, always verify" as its guiding principle. With Zero Trust there is no default trust for any object —regardless of what it is and its location on, or relative to the network setup – i.e. being in the same zone.

As we outlined in our Zero-Trust paper issued last year, Zero Trust is about not trusting anyone. This means that any end user or system activity, like create, read, update, or delete an item must be validated. By validate, I am referring to the check to see if the originator is authenticated and authorized to execute the command.

As my colleague Geert van der Linden noted in his article last week, "Zero Trust must become more than the gold standard, it must become standard practice."

There are many aspects to Zero Trust like authentication, authorization, non-repudiation, encryption, proactive intrusion detection and prevention as well as aspects like effective starter and leavers program, appropriate classification of data to applying a Zero Trust culture.

Related to intrusion prevention and containment, microsegmentation is a key concept.

The Typical Approach Before Microsegmentation

Until recently it was common to design a secure infrastructure for online applications using a 3-tiered based blueprint that relied on “trust zones” as well as on physical firewalls (amongst other components like reverse-proxy, intrusion detection system, intrusion prevention system) that controlled and managed all in and outbound traffic.

In detail, this would entail to configure Trust Zones where a physical network would allow for grouping of machines (physical / virtual) into a zone. That group would then be related to a physical firewall port and / or a virtual switch port-group and / or a VLAN. This will allow for firewall-controlled communication between zones – the so-called north-south control.

However, crucially east west there is no firewall-controlled communication. This means that in case of a successful exploit of an unknown vulnerability the attacker can setup control center (command & control) either on the first host or can move within the zone to a different host.

Using microsegmentation

A better way to control and contain known and, more importantly unknown exploits, is to deploy a zero-trust approach by using a microsegmentation approach. Mainly driven by a cloud first approach, microsegmentation is only now possible as network virtualization increases in maturity and deployment. Using software-based networking capabilities in a virtual cloud environment, it is possible to track, control, monitor, log every flow, package between any hosts – north, south, east, and west.

In a microsegmentation approach every single virtual server has its own firewall – typically a stateful – that can filter, log, monitor every package that either enters or leaves the server. Stateful, or sometimes also called dynamic packet filtering, is the ability to retain session context information so that the firewall can track and monitor the state of an active connection.

As the firewall is “below” the network there are no “Trust Zone” - security is always present – per flow, per packet, stateful inspection with policy actions and detailed logging as well as per virtual machine, per virtual network interface. The physical network acts only as a physical connector.

Microsegmentation based blueprints will be implemented using fully virtualized environments. This means compute is virtualized – all physical servers are virtual hosts. Most of the network environment is virtualized using an SDN (software designed networking) approach. In the SDN Model networks are abstracted even more granular as a logical set of network ports.

SDN tackles one of the fundamental challenges with today’s networking, namely the use of IP addresses (at OSI Layer 3) for two unrelated purposes: as an identity but also as a location.

Tying these together restricts a (virtual) machine from being moved around as easily as we would like. Like server virtualization abstracts the server hardware for the software that runs on it, virtualization of the network abstracts the cables and ports from the demands of the applications.

By abstracting OSI Layer 2 (‘the MAC addresses’) for the Virtual Machines and allowing transparent overlay communication (L2 over L3 tunnels) between VM’s on top of physical networks, the mobility and portability of VM’s are extended across network boundaries.

This enables the on-demand, programmatic creation of tens of thousands of isolated virtual networks with the simplicity and operational ease of creating and managing virtual machines. Furthermore, logical networks can be separated from one another, simplifying the implementation of multi-tenancy as well as being the basis for a microsegmentation based approach.

Microsegmentation considerations

A microsegmentation approach allows to manage security not on an IP but on a virtual server / machine level. Security works on a basic concept of a group in which objects are being assigned to which specific policies are being applied. Using microsegmentation and in a virtual network environment these groups can now include virtual server / machines. This has several advantages:

• It is simpler as there is no mapping between physical firewall and NIC port needed
• It can “grow” automatically, meaning based on policy new virtual server / machines can simply be added via standard templating and group policies
• It can allow to run production and non-produce side by side as virtual server / machine-based groups will separate each virtual server / machine
• There is no limitation regarding connecting to a distributed virtual switch (DVS). It does not matter which port group connect to the virtual server / machine and vice versa

Next to the ability to manage security from a virtual server / machine perspective and not just and IP/port level, is the ability to go up one level – to manage it based on application and user.

There are some products in the market – physical as well as virtual – that allows to construct security truly top-down.

The implication is that the network topology as well as logical design, i.e. routes, flow, separation etc., changes. Introducing this approach in an existing environment will require diligent planning + it pushes application, compute, and network much closer together; meaning it cannot be seen in isolation anymore. Another impact is the reduction in silo’ed organization setups of the past (or for many the current), as server and network teams can and will have to work much closer together.

There are several aspects to consider when moving to a Zero Trust model using microsegmentation:

• It cannot replace the need for firewalls, reverse-proxies, intrusion detection systems, intrusion prevention systems and / or anti-malware and anti-virus solutions
• Zero trust-based designs are not able to guarantee full security – it can only control and contain an attack that is exploiting an unknown vulnerability
• There are other measures needed to protect from attacks – zero trust can only protect (or better contain) ~ 37% of all attacks (see here)
• Microsegmentation can increase network complexity, both during the actual design as well as the management
• It might not be the right answer for all cases – for instance for small or medium setups a 3-tier might still be most appropriate
• To gain maximal benefits microsegmentation requires a full virtual setup

Summary

As outlined above, microsegmentation can increase security by containing a breach. However, a Zero Trust requires further measures to ensure all attacks are being dealt with and not “just” attacks exploiting unknown vulnerabilities.  As with any security measure organizations must weigh up cost vs risk to decide what solutions and blueprints are needed to protect appropriately. What is clear is that security incidents are increasing, and with it the need to increase measures to protect critical IT services.

More Material

See our Cybersecurity Landing page to access more relevant material

Thanks for reading!

PS: Thanks to Randy Potter suggesting to share an extract of my Weekly GMz