With micro-segmentation and zero trust, new security concepts are available. But will they become key players in IT security in the future? Do they represent a useful complement to existing measures or are they just tools with limited relevance and little effects?
- Zero trust principles provide a valuable contribution to corporate protection, but also have limitations
- Macro- and micro-segmentation need to be applied together for zero trust to have full effect
- Protection against internal perpetrators and employee errors can be increased by zero trust
Traditional protection mechanisms are trying to prevent the intrusion of attackers. Perimeter protection, for example a firewall, is the main focus here. However, once attackers have succeeded in penetrating the corporate network, they could often move freely inside the network, locate valuable data or compromise important systems.
Newer technologies take a different approach. For example, micro-segmentation allows network segmentation at host level. For this purpose, necessary connections are analyzed and only these are allowed. With zero trust, a radical change in the culture of trust is entering the corporate network. Whoever has access rights on one system does not necessarily have access rights on other systems. Different parameters are evaluated before a login is possible or access rights are granted. Trust relationships between systems and users can be reduced to the bare minimum, for example, with the help of network access control (NAC).
But what relevance do these technologies have for future IT protection policies? We asked experts from various specialist institutions about this.
Half-assed measures are not enough
The German Federal Office for Information Security (BSI) views zero-trust principles as a valuable contribution to corporate protection, but also emphasises their limitations:
The integration of zero trust principles (ZTP) is suitable for further securing infrastructures in the future. Although attacks cannot be completely avoided, the extent of damage can be significantly reduced by using ZTP. In particular, integration can help ensure that an infection of a single office PC no longer leads to the complete compromise of a company. The implementation of ZTP, on the other hand, only provides limited protection against attacks on supply chains or administrative systems.
Initial integration steps of ZTP often do not require any new techniques to be introduced; for example, the enforcement of rights and role models can already be optimised according to the principle of minimal rights, detection can be expanded or the segmentation of the company network can be further refined. For more far-reaching implementations, adjustments of the IT-infrastructure might become necessary, such as further development of specialised applications for the use of stronger authentication methods.
Holger Berens, Chairman of the Board at the German Association for Critical Infrastructure Protection, BSKI, focuses on the connection between zero trust and macro- and micro-segmentation:
Zero trust models, which serve to identify data traffic by creating specific access controls for the network and regulate the corresponding approvals of users and applications, are suitable for protecting both IT hardware and software. Traditionally, it is often assumed that all users and applications registered in a network are trustworthy. This is questioned by the zero-trust models. Because an attacker might already be in the system. After micro-segmentation and zero trust identification of all objects and the corresponding authentication of all users in NAC, macro-segmentation is first performed at the firewall level and then micro-segmentation is performed within the macro level. However, a zero trust model without macro- and micro-segmentation provides only limited protection. Only a logical and intelligent linking of both approaches can really exploit the advantages of zero trust.
In her contribution, Simran Mann, security policy officer at the German Information and Telecommunications Industry Association (Bitkom), also refers to the protection against inside offenders through Zero Trust:
Both offline and online, criminal energy operates according to the slogan: "Catch me if you can. The increasing professionalisation and division of labour at the dark web suggests constant automation of processes and constant improvement of criminal schemes. Therefore, it is essential to deal with state-of-the-art technology in information security. Zero Trust is a sufficient approach to not only protect the own company from intentional sabotage and espionage, but also to protect it from unintentional sabotage by employees and former colleagues through dedicated access management. According to a Bitkom study (in German), these make up a considerable 36 percent of the perpetrators of cyber attacks. Micro-segmentation is also a suitable measure to better secure the company's IT infrastructure.
New technologies are a valuable contribution to IT security in every company
The possibilities of zero trust and micro-segmentation expand the portfolio of the security department. With these technologies, intruders can be effectively combated and damage minimised. Another interesting aspect is the protection against mistakes made by employees themselves. Many self-caused errors have already led to the failure of systems or caused severe damage. But only the combination of micro-segmentation and zero-trust concepts exploits the real capabilities of these technologies.
Author: Uwe Sievers