5 Steps to Zero Trust in the Data Center

We've all used a vast array of security products, processes, and policies in our ongoing attempts to secure the enterprise. Yet today, the risk of unwanted activity occurring inside the network is far greater than ever before, thanks to the ever-more-porous network perimeter and the new normal of remote working. Shrewd security professionals know that a new approach – one whose strength lies in its simplicity – is not only promising but proven.

It's called "Zero Trust," and the idea is to not trust any traffic unless a security policy explicitly allows it. This calls for fully understanding applications (down to the workload level) and creating smart policies that prevent unwanted behavior. Zero trust prevents unwanted lateral movement by inspecting all East-West traffic in the data center and applying policies that stop bad actors from moving around, escalating privileges, and gaining unacceptable data access.

Getting to Zero Trust in Five Steps

In the past, IT organizations have attempted to achieve zero trust with edge firewalls and (agent-based) microsegmentation orchestrators. Both solutions have useful characteristics but also have significant challenges. Distributed internal firewalls judiciously combine the best attributes of both, resulting in a far superior approach.

Thanks to distributed internal firewalls, you now have a fast track to zero trust. The distributed internal firewall is the foundation for the journey, providing the necessary capabilities – full topology visibility, advanced analytics, and simplified security architecture – for accelerating progress. Each step builds on the previous one, leveraging increased knowledge and experience.

Step 1: Macro-segment the network

First, use the distributed internal firewall to segment the network at a coarse level, isolating and securing zones (e.g., development, test, and production) from one another. This prevents attackers and malicious insiders from moving laterally between zones. There’s no need to redesign the network or even make network address changes: you can quickly and easily simplify the security architecture and accelerate your time-to-value. Remember that you can quickly expand the number of zones when needed.

Step 2: Gain visibility into network topology

In the past, it was difficult to fully understand applications, their workloads, and microservices. Today, the distributed internal firewall gives you full application topology visibility across the data center. Visibility into application behavior and traffic flows means you can gain control over all applications and workloads. This step also gives you the information you will need to carry out later stages in the journey.

Step 3: Micro-segment one well-known application

Armed with full visibility, you start the process of reducing the attack surface: isolate critical applications from other data center assets, enable user- and application-specific access controls, and stop lateral movement. The best place to start is with a business-critical application that is well-understood and well-documented, such as Virtual Desktop Infrastructure (see the Internal Firewalls ebook for more information on why this is a good choice). The distributed internal firewall inspects traffic and enforces user group-specific security policies. It makes security policy recommendations based on observed traffic patterns, and ensures policy consistency across the network, including VMs, containers, physical servers, and public cloud services.

Step 4: Turn on advanced threat controls

Go beyond access-control by turning on the distributed internal firewall’s advanced threat controls, such as intrusion detection/prevention (IDS/IPS). Because it is available out of the box, there’s no need to add, maintain, or manage another network device. Simply turn on the IDS/IPS functionality to detect traffic patterns that could indicate an attack. This also helps with compliance, fulfilling the IDS/IPS requirements for HIPAA and PCI-DSS regulations.

Step 5: Micro-segment all applications to achieve Zero Trust in the data center

Building on the experience gained in earlier steps, you can secure all critical applications in the data center. Start with well-understood applications such as Active Directory (AD) and DNS, using the distributed internal firewall to micro-segment them with simply expressed layer-7 policies and further secure them using built-in threat control capabilities. For applications that are not well-understood, the distributed internal firewall helps immeasurably. It provides visibility into east-west traffic, giving information about how these applications behave. It can then automatically generate policy recommendations, deploy updated policies, reduce blind spots, and block lateral movement early on to limit the damage.

Conclusion

These five steps can fast-track your move to zero trust in the data center. It provides full visibility into applications and workloads, making it easy to macro-segment the network, micro-segment applications, and apply threat controls.

About the Author:

Dhruv Jain is Sr. Director of Product Marketing at VMware and owns responsibility for Network Security & Analytics products. He has been in the data center software and infrastructure space for 15+ years in different roles spanning engineering, strategy, product management and marketing. Most recently he was with the Datacenter Networking business at Cisco, which he joined through a spin-in that built a new product line for network and security verification and operations. Prior to that he was co-founder/CEO of OpsClarity, a cloud infrastructure operations monitoring and analytics start-up. He has an MBA from Wharton, MS from Stanford, and BTech from IIT-Bombay.