Security | 10.16.2020

Zero Trust Architecture and moving beyond VLANs for segmentation

For years enterprises have been deploying VLANs to segment their networks. The thought was that devices in one segment were limited in their ability to adversely affect devices in another. This approach to security in fact provided very little in the way of actual risk mitigation, and in reality provided a false sense of security. As the threat landscape has evolved and attackers have grown more adept at exploiting vulnerabilities, the VLAN strategy is finally being proven once and for all that it is combat-ineffective at managing threats.

Zero Trust Architecture (ZTA)  is significantly more effective from a security posture standpoint, enabling organizations to reduce the overall risks across hybrid environments – on-premise, private cloud, public cloud – and boost the ability to contain potential threats before they can propagate throughout the network.

The threats facing companies today are more complex than they were even a few years ago. Ransomware, for example, used to be considered an annoyance. But hackers have upped their game and the latest generation of ransomware attacks have caused businesses and government entities not only significant financial harm, in some cases they’ve brought operations to a halt. Healthcare organizations hit by ransomware were forced to cancel non-elective procedures. Global logistics firms were unable to process shipments. Municipalities lost the ability to deliver critical services to residents, such as processing utility payments and even being locked out of legal records.

The rise (and tremendous growth) of IoT has also expanded the footprint for hackers. Gartner forecasts 5.8 billion endpoints will be in use in the enterprise and automotive IoT markets alone before the end of 2020. Unfortunately, most of these devices weren’t designed with security in mind and have only minimal capacity to support security functionality. The result? A lot of new vulnerabilities offering easy access to corporate networks.

From external attacks to unsecured internal IoT devices, enterprises are increasingly turning to Zero Trust to improve their security posture and ensure their assets are protected.

Rather than rely on a traditional legacy VLAN segmentation model, Zero Trust ignores the flat network structure and perimeter security approach and instead focuses on developing a deeper level of trust to determine who should – and shouldn’t – be allowed to connect, and to what. Zero Trust enforces a containment-by-design approach which is fundamentally different from the long-established VLAN method. It allows VLANs to exist as they were designed – as merely a way for devices to get an IP address to gain access to the local network. This strategy no longer assumes trust based on a user’s VLAN but rather based on who the user is and what device they are using. By interrogating each user as they connect to the local switch port or wireless network, Zero Trust considers everything off-limits until identity is confirmed, and even then users are authorized access only to the resources they require to do their job.

Though it’s highly secure and far more capable of thwarting threats than VLAN segmentation, Zero Trust isn’t without its challenges. Some infrastructures may not have the features necessary to use the full scope of Zero Trust functionality. Existing silos can stymie efforts to bring people and infrastructure together to create a true Zero Trust Architecture. Management may also become more complex. Some people don’t want to get into enforcement as part of Zero Trust because they fear they haven’t fully mapped application dependencies and identified the various areas of their network. What if I break user access? What if things no longer work?

Each of these obstacles can be addressed with thoughtful planning and targeted efforts, and it’s well worth it because the benefits of Zero Trust are significant. Attacks can be slowed considerably, diminishing lateral spread so one errant click in a corrupted e-mail is no longer likely to take down an entire organization. Zero Trust also enables adding security to IoT and similar devices, or where local firewalls and patching may be sketchy. Because of the containment-by-design approach, Zero Trust maintains a perimeter around untrusted devices, connections, and ports. Enforcement points are added throughout the environment, giving your network critical protection from emerging threats.

This summary of benefits only scratches the surface. If you’d like to learn more about Zero Trust Architecture and how it can help your organization mitigate network security risks, check out our Always On Virtual Series for an in-depth look.

Get in touch