With the growing recognition that perimeter-based security is becoming obsolete, more businesses are striving to deploy zero-trust security models, in which user-identity management is key. But that requires organizations to rethink their entire approach to security and raises questions about whether they need to start from scratch with a entirely new security stack, or whether existing solutions can be adapted to a zero-trust framework.
At its annual user conference, Nutanix security experts described how to use its application security solution, Flow, to implement virtual machine (VM) microsegmentation, a critical element of any zero-trust approach.
Why is zero trust becoming the gold standard? Because the nature of threats is changing — and so is the nature of business, argued Mike Wronski, a Nutanix product marketing director.
More threats than ever are coming from within organizations, Wronski noted. The Ponemon Institute found earlier this year that insider threats have increased by 50 percent. A zero-trust model ensures that individuals, including full-time employees, gain access only to the applications they need.
Moreover, network infrastructures become more complicated as businesses grow, leading to increasing configuration errors. “It turns out that a lot of mistakes get made — they’re innocent mistakes, but they increase risk, and it’s out of this complexity that these errors occur,” Wronski said.
Misconfigurations are shockingly common, according to research. Palo Alto Networks discovered that 60 percent of cloud storage services have logging disabled, meaning that threat actors can enter systems without anyone inside an organization ever knowing. And most misconfigurations go unnoticed: When McAfee surveyed more than 1,000 IT professionals, they found that most misconfigurations are unreported.
Finally, Wronski said, too many companies seem to be focused more on breach detection than on prevention, when both should be central to any comprehensive security strategy.
WATCH: Learn how to improve security for the remote workforce, from the experts.
What Is Zero-Trust Security?
All this suggests that a new security model is required. With a zero-trust model, instead of relying on perimeter devices to detect and stop intrusions, policy becomes the perimeter. “Zero trust says, ‘Trust nothing, and assume that something malicious is going to get in, and make sure we have the security controls in place to deal with it,’” Wronski said.
A critical step for deploying zero trust is the expansion of microsegmentation: the practice of segregating different parts of a network from one another so that a malicious actor doesn’t have free rein within a network merely by gaining access to one part of it. Microsegmentation is not new, but businesses must apply granular policy between users and virtual machines when striving for zero-trust security within a hybrid cloud environment.
“So if we no longer have this perimeter defining what’s the data center and what’s not the data center, and everything’s out there in the cloud, and we have all these users and all these VMs talking to each other back and forth, adding in microsegmentation and security policy gives me detailed control over all those areas,” Wronski said.