Security keeps getting more complex, and despite a multitude of products, tools and processes, organizations find it challenging to prevent 100 percent of breaches or unwanted access. Zero Trust holds the promise of achieving tighter security by only trusting network traffic that is specifically permitted by a security policy. While the task appears daunting, those organizations that follow a step-by-step approach can achieve success.
The process followed by VMware IT (VMIT) can serve as a blueprint for other organizations, removing some of the mystery and complexity. VMIT embarked on a Zero Trust project for data center security to prevent unwanted lateral movement, restricting communication among workloads to only the minimum needed to complete their jobs. The goal was to make Zero Trust the new normal for all applications in the data center. To do so, the team needed to gain a complete understanding of all applications, down to the workload level. Once understood, effective policies can be crafted to permit only the desired behavior.
Step one: macro-segmentation
Achieving Zero Trust fits neatly into a five-step approach (see A Practical Path to Zero Trust in the Data Center white paper), which starts with macro-segmenting the network and culminates in micro-segmenting all critical applications in the data center. Already experienced with macro-segmentation, VMIT was able to skip the first step and fully commit to micro-segmentation as the means to achieving Zero Trust.
Step two: understanding network traffic and apps
VMIT moved to the second step of getting a better understanding of network traffic and application behavior. This is often the most difficult part of a Zero Trust project because with complex applications, it can be difficult to find and understand all the communication patterns. Yet this step is necessary in order to create policies that allow only valid traffic and reject any unwanted communication or behavior. The first applications to go through this second step were “brownfield” applications—those whose behaviors were already somewhat understood. VMIT invested in fully understanding these applications’ communication patterns.
Step three: micro-segmenting
Armed with information about the communication patterns and behavior of the apps, the team moved to the third step of micro-segmenting these applications. This process of iterating between the second and third steps was in full swing by 2017, with VMIT mapping valid traffic flows to micro-segmentation policies based on communication patterns. In this step, policies are thoroughly tested to ensure that they prevent lateral movement into and out of the segment where the applications run, and that they do not interfere with the applications’ availability or performance.
While micro-segmentation of brownfield applications continued at a rapid pace, the team found that the goal of 100 percent Zero Trust continued to be just out of reach because new applications were constantly coming online. VMIT knew that to reach its objective, the team needed to tackle new (greenfield) applications being implemented outside the Zero Trust framework. The team seized the opportunity to micro-segment a replacement application for the aging enterprise resource planning and supply chain (ERP) application. Success with a complex application like this would prove the feasibility of micro-segmenting all applications in the data center.
One of the challenges of choosing such a complex application was that it involved a lengthy testing and development cycle of more than 12 months. However, by this point, there were only three months until launch date. In addition, multiple teams were involved: Information Security, IT Solutions Engineering, Network Security, and the Application Operations teams. Fortunately, based on the experience gained from micro-segmenting other applications and tight teamwork, the deadline was met.
As with step two, the hardest part is determining the applications’ communications patterns, especially given the large number and variety of traffic flows. VMIT discovered a large number of workloads (approximately 300) between business logic and database components. The communication patterns among all these workloads needed to be fully understood to determine which traffic would be acceptable. Once identified, security policies for valid traffic were created, and thorough testing ensured that availability and performance were not impacted.
Step four: implementing additional threat controls
By 2020 the team was on the fourth step of implementing additional threat control capabilities. Using the VMware NSX® Service-defined Firewall™, the team was able to simply turn on built-in IDS/IPS functionality. This enables VMIT to monitor communication patterns, detect suspicious traffic patterns, optimize security policies, and help ensure compliance. It also provides a single pane of glass for overall security management.
Step five: achieving Zero Trust
VMIT is currently in the fifth step of micro-segmenting all applications and as such, is well on its way to full Zero Trust in the data center. The successful launch of the ERP application under tight time constraints proved that even the most complex applications can be brought under the Zero Trust umbrella using micro-segmentation. In fact, all new VMware applications must have micro-segmentation policies in place before going live, which gives internal applications a second line of defense based on Zero Trust and implemented using the micro-segmentation capabilities of NSX Service-defined firewall.
For the full story of how VMware accelerated the process of moving toward Zero Trust in the data center, read the case study How VMware IT Uses Zero Trust in the Data Center.