NSA's Zero-Trust Guidelines Focus on Segmentation

The US National Security Agency (NSA) delivered its guidelines for zero-trust network security this week, offering a more concrete roadmap towards zero-trust adoption. It's an important effort to try to bridge the gap between desire for and implementation of the concept.

As businesses shift more workloads to the cloud, zero trust computing strategies have moved from a buzzy hype phase to enjoying the status of an essential security approach. But even so, the notion of "untrusted until verified" is still slow to catch on in the real world (although in some areas, such as in the United Arab Emirates, zero trust adoption is accelerating).

John Kindervag, who was the first to define the "zero trust" term  back in 2010 when he was an analyst at Forrester Research, welcomed the NSA's move, noting that "very few organizations have understood the importance of network security controls in building zero-trust environments, and this document goes a long way toward helping organizations understand their value."

Further, "it will greatly help various organizations worldwide more easily understand the value of network security controls and make zero-trust environments easier to build and operationalize," says Kindervag, who last year joined Illumio as its chief evangelist, where he continues to promote the zero-trust concept.

Zero-Trust Centers on Network Segmentation

The NSA document contains loads of recommendations on zero trust best practices, including, foundationally, segmenting network traffic to block adversaries from moving around a network and gaining access to critical systems.

The concept isn't new: IT departments have been segmenting their corporate network infrastructure for decades, and Kindervag has been advocating for network segmentation since his original Forrester report, where he said that "all future networks need to be segmented by default."

However, as Carlos Rivera and Heath Mullins from Forrester Research said in their own report from last fall, "no single solution can provide all capabilities needed for an effective zero trust architecture. Gone are the days when enterprises lived and operated within the confines of a traditional perimeter-based network defense."

In the cloud era, zero-trust is exponentially more complex to achieve than it once was. Perhaps that's the reason that less than a third of survey respondents in Akamai's 2023 report on The State of Segmentation from last fall have segmented across more than two critical business areas in the past year.

To ease some of the pain, the NSA walks through how network segmentation controls can be accomplished through a series of steps, including mapping and understanding data flows, and implementing software-defined networking (SDN). Each step will take considerable time and effort to understand what parts of a business network are at risk and how to best protect them.

"The important thing to keep in mind with zero trust is that it's a journey and something that must be implemented using a methodical approach," cautions Garrett Weber, the field CTO of the Enterprise Security Group at Akamai.

Weber also notes that there has been a shift in segmentation strategies. "Up until recently, deploying segmentation was too difficult to do with hardware alone," he says. "Now with the shift to software-based segmentation we're seeing organizations be able to achieve their segmentation goals much easier and more efficiently."

Going Further With Network Microsegmentation

The NSA document also differentiates between macro- and micronetwork segmentation. The former controls traffic moving between departments or workgroups, so an IT worker doesn't have access to human resources servers and data, for example.

Microsegmentation separates traffic further, so that not all employees have the same data access rights unless explicitly required. "This involves isolating users, applications, or workflows into individual network segments to further reduce the attack surface and limit the impact should a breach occur," according to the Akamai report.

Security managers "should take steps to use microsegmentation to focus on their applications, to ensure that attackers can't bypass controls by subverting single sign on access, using side loaded accounts, or finding ways to expose data to external users," says Brian Soby, the CTO and co-founder at AppOmni.

This helps define security controls by what is needed for each particular workflow, as Akamai's report lays out. "Segmentation is good, but micro-segmentation is better," the authors stated.

It may be a complex endeavor, but juice is worth the squeeze: In Akamai's report, researchers found that "perseverance pays off. Segmentation proved to have a transformative effect on defense for those who had segmented most of their critical assets, enabling them to mitigate and contain ransomware 11 hours faster than those with only one asset segmented."

Kindervag is still advocating for zero trust. Part of its attraction and longevity is because it is a simple concept to grasp: people and endpoints don't get access to services, apps, data, clouds, or files unless they prove they are authorized to do so — and even then, access is only granted for the length of time it's needed.

"Trust is a human emotion," he said. "People didn't understand it when I first proposed it, but it is all about managing danger, rather than risk and plugging holes in your security."