The US government is rapidly transitioning to Zero Trust security architecture. This includes new guidance, reference architectures, and mandates from the administration and CISA for agencies to develop and meet the five “specific zero trust security goals,” by the end of September 2024.
Defense in depth was a characteristic of older security approaches—you’d have many applications performing overlapping jobs. Zero Trust doesn’t necessarily mean ripping out and replacing all your security tools, but many may be reviewing which approach is best for their goals. Now the goal becomes how to minimize the attack surface, improve data auditing and compliance visibility, and reduce network complexity and cost.
Let’s review how you can increase the effectiveness of Zero Trust by simplifying your approach.
Preserving a Simpler Approach while Securing Your Devices
One thing you may ask is, “how many of my security tools are designed only to mitigate threats that come in through the network?” You have your firewall, SIEM (Security information and event management), IDS (Intrusion detection system), IPS (Intrusion prevention system), DLP (Data loss prevention), and so on, all focused on an attacker who might try to jump in through an exposed port.
What’s equally likely to happen is that a user will connect their laptop to the network, and an attacker will send it a phishing email taking advantage of an unpatched vulnerability. From there it can move laterally, cleanly bypassing your perimeter.
The Zero Trust principle of “never trust, always verify” means that end-user devices, including personal computers and mobile phones, should also be looked at as a source of potential threat. Personally-owned devices should not be exempt from the policies that enforce Zero Trust—if anything, they should be trusted even less.
This concept also applies to those security tools in the stack. Production networks with out-of-band network performance, threat detection, and security monitoring tools process packet data moving between network segments like servers, routers, and switches, to ensure these endpoints are secure.
Providing this packet visibility through unidirectional data diodes, ensures traffic between the network and an infected endpoint or monitoring platform, can’t move laterally by traversing back into the live network. In short, using a data diode TAP means that you can help enforce Zero Trust just by enhancing your visibility architecture.
Reduce and Costs While Increasing Security
If there’s a lesson from the section above, it’s that you can begin to implement Zero Trust security while keeping much of your existing security suite, and without purchasing much in the way of new tools or applications. As far as new infrastructure is concerned, the major emphasis should be on making sure that an expanded volume of data is made available to your existing security tools.
Zero Trust will inevitably require new tools, however, even if you’re starting small elements of Zero Trust—such as adaptive access, automation, AI, and micro-segmentation—will require new applications to support them. Can Zero Trust infrastructure truly be described as “simplified” if it requires these new tools? How will these new tools impact operating costs?
Good news on the cost front: reports from Forrester Research show that companies implementing Zero Trust can reduce their overall security costs by over 30%, even though the framework involves the potentially costly introduction of new security devices. How does this work?
The major benefit here is that many of the improvements introduced by Zero Trust security are labor-saving. A SOC using technology from one or two generations ago might need the full-time attention of three full-time personnel. You’d need a person to receive alerts, a person to filter out the false positives, and a person to mitigate the issues that weren’t false positives. All these changes with automation.
For example, part of your Zero Trust solution might take the form of an analytics tool that compares the traffic on your network to traffic in other networks. It then teaches itself to recognize “normal” traffic and alerts on any traffic that appears abnormal—such as a networked surveillance system starting to send DNS calls outside your perimeter. This kind of system can flag anomalies more accurately than your old three-person SOC team and will flag fewer false positives.
In addition, you can streamline or breathe new life into some portions of your existing infrastructure. It’s not that you’ll no longer need a firewall—you still will—but now you can leverage improved visibility performance, load balancing, and aggregation to better utilize these tools.
Simplifying Your Security Stack Architecture
According to a recent study by Scoop News Group for FedScoop and StateScoop, a key factor hindering agencies’ ability to minimize risks is their reliance on several security solutions installed over multiple years. Two-thirds of respondents at state and local agencies — and more than one-third at federal agencies — reported using six or more tools specifically for managing IT risks.
Today’s federal and enterprise security stack architecture incorporates many inline tools and out-of-band monitoring tools creating complex challenges for management, as well as reliability challenges by introducing many vulnerabilities for single points of failure (SPOF).
Simplifying the management of these tools, while reducing complexity and vulnerabilities are important factors for zero trust deployments.
Utilizing an EdgeLens Inline Security Packet Broker helps reduce those challenges by managing both inline and out-of-band tools from one access point, reducing complexity and SPOFs, while ensuring complete packet visibility.
Instead of relying on switch SPAN or external network TAPs for the various monitoring tools like Intrusion detection systems (IDS), forensics, threat hunting, packet capture, storage, and network detection and responses tools (NDR), that are placed around the network. You can now enjoy full packet visibility and ensure no dropped packets through unreliable SPAN or introducing additional SPOFs. This also reduces the number of security and performance tools needed, as you can aggregate and optimize traffic.
Some vendors accomplish this by deploying external bypass TAPs paired with network packet brokers. Garland integrates the Bypass TAP and packet broker in one elegant solution, providing unique capabilities and reliability, including tool chaining, load balancing, and high availability (HA).
Garland’s EdgeLens is designed to contribute to lowering the cost of security by helping to enable Zero Trust. It does this by managing the availability of the whole security stack—providing bypass, HA, and TAP visibility to your out-of-band security and monitoring tools. This helps keep your stack simple. You can use your security tools as inline devices, which is simplest while eliminating the risk of a costly outage. If your tools go offline for any reason the Bypass TAP functionality will automatically ‘bypass’ the tool, keeping your network up while you resolve the issue.
Looking to simplify your security tool deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.
