Use Case 4 - Container Isolation / Access

Use Case 4 - Container Isolation / Access

Zero Trust architecture eliminates traditional chokepoints as seen in Legacy Trusted Internet Connection (TIC)  and DOD Joint Regional Security Stacks (JRSS)/Internet Access Points (IAP)/Cloud Access Points (CAP). Decentralizing these chokepoints and designing into a distributed architecture that aligns with the NIST Special Publication 800-207 PEP/PE/PDP framework may improve security and support digital transformation initiatives. Creating secure access from anywhere on any network giving a user the right access under the right conditions is vital. NIST 800-207 outlines three approaches to Zero Trust of software-defined networking or perimeter, identity governance, and application micro-segmentation. While all three areas may interact together, each focuses on a specific piece of an access attempt.

  1. Software-defined perimeter and network infrastructure are focused on delivering and routing network and internet traffic.
  2. Identity governance is focused on uniquely identified people or things requesting access.
  3. Application micro-segmentation is focused on network segmentation but also relies on identity governance.

  • Organizations networks typically have one of two challenges:

  1. The network that hosts their resources (on-premise or in Cloud) is on a large flat network (High Risk due to lateral East-West Pivot); making the idea of segmentation a nightmare due to the heavy lift to re-design networks (Re-IP Addressing Systems), and the forklift upgrade to refresh the on-premise fabric is expensive when there is a strategic goal to move to Cloud. Results in a stalemate to do nothing.
  2. The network design has become highly fragmented with traditional segmentation tools such as VLANs, Firewalls/etc. The current configuration is statically configured and challenging to make changes even to react to threats. The current network segmentation approach, like VLANs (802.1x), does not extend to Cloud. Results in a different Security Platform for segmentation for each cloud provider and on-premise location.

  • Application processes, System Calls, Containers, transactions within the same machine

  • Zero Trust application micro-segmentation technologies can bridge the gap to deliver security on flat networks or highly fragmented (on-premise) and seamlessly extend those security policies to any cloud. Micro-segmentation policies should also be employed on the user side to mitigate lateral threats on their LAN/Wifi.
  • Address Insider Threat, Mitigate Lateral East-West Pivots, Enforce Least Privilege, Provide Data-in-Motion Protection/Encryption.
  • Immediate impact by securing workloads/IoT/Users on Flat Networks, without wasting the investment to solve this challenge on-premise, because the ZT Microsegmentation capability can grow/move with you to cloud.
  • Immediate impact on highly fragmented network by reducing the complexity burden of the existing VLANs and Firewalls (Reduced FTE to manage, FTE can re-purposed to Cloud transformation projects), while being able to extend Microsegmentation policies outside the on-premise environment into any Cloud Hosted infrastructure
  • Identify the environment to conduct Proof of Concept or Pilot. Note micro-segmentation is architected in two ways, either by business unit roles or by Application/Service within the organization.
  • Capture and document the security and compliance requirements for micro-segmentation (for example: meeting Information Assurance requirements to PCI-DSS or HIPAA compliance.)
  • Capture and document success criteria with a focus on the end-user experience
  • Create a Test Plan with success criteria for each requirement
  • Collect existing information of users and components in the scope of security boundary, leveraging Hardware and Software Asset Management Tools
  • Conduct discovery to understand the application dependencies and flows in the environment.
  • Create Design and Architecture documentation and implementation plan integration (for example: Identity Provider, Network, Compute/Hypervisor)
  • Deploy the micro-segmentation solution
  • Execute Test Plan and Capture Results