by VMware Senior Security Strategist Craig Savage
The traditional ‘castle and moat’ approach to enterprise security worked effectively when various aspects of the corporate ecosystem were siloed. But with the proliferation of cloud-based products and services, suddenly one bad actor could breach a single security barrier and gain access to the whole system.
This dire reality is why VMware IT instituted a unified and built-in defense approach known as the Zero Trust model. This fundamentally different business approach makes security inherent across strategic control points that touch networks, clouds, endpoints, workloads, and user identity. At its heart is a mandate that protects resources—not network segments—by ensuring highly granular access control.
Key pillars of the Zero Trust model
Even lack of trust had major challenges
Three major obstacles stood in the way of successful Zero Trust implementation—too little context, too many silos, and too distributed infrastructure.
Too little context refers to the inability to secure what you do not understand. Each enterprise component (infrastructure, applications, data, network, etc.) is constantly under threat, yet the risks and defense mechanisms for each are very different.
Security is really a team sport at its core, and companies simply cannot succeed with a siloed defense—especially when there are too many silos. What this means in practice is that security cannot be the sole domain of security teams. Every stakeholder—from identity and network teams to the ultimate end users (by adhering to protocols)—all need to work together to ensure security is operationalized. And that includes agreeing upon a standardized single source of truth (SSOT) for every tool employed.
The cloud, remote workers, and other factors have made the enterprise too distributed in nature, making comprehensive security a mission-critical challenge. It is very difficult to defend a distributed attack when your main line of defense involves individualized point tools and choke points.
Seven steps in the right direction
After extensive research, VMware IT developed seven key steps to mitigate Zero Trust obstacles and successfully implement true enterprise-wide security in the cloud era.
- Micro-segment and closely monitor core network services (CNS), ultimately scaling out to include ancillary services. Control access to intellectual property by micro-segmenting at a network level via solutions like VMware NSX®. This also allows for legacy environment support where there are no modern controls. Finally, cloud connections must be secure, including bidirectional flow and authentication.
- All manageable endpoints must be managed—unmanaged devices must be denied access to core services. This involves applying intrinsic security to inbound data (our team employs VMware Carbon Black™), outbound data (data lifecycle protection, information-rights management), and onboarding (certificate-based authentication, multi-factor tokens, and our use of VMware Workspace ONE® Intelligent Hub).
- Office networks must be Wi-Fi by default. This ensures high transfer speeds, elimination of laptop dongle issues, and removal of Network Access Control (NAC) admin overhead.
- Implement internet-only access by removing ‘default-trusted’ end-user-accessible networks, enabling peer-to-peer connectivity, and placing user endpoints off the main network.
- Deploy stricter VPN and network policies, including an increased use of identity-defined access and a ‘downgrade’ of VPN usage (default will be ‘off’). Users in high-risk countries will still realize full-tunnel VPN security.
- Deliver blast chambers for developer and support teams, including manageable, segmented network pod architecture and simplified issue isolation.
- Convert admin-level access for non-API-level activities to virtual desktop infrastructure (VDI) sessions only. Any command-line interface (CLI)- or UI-level admin tasks are done via the VDI jump box. These now-stateless desktops substantially mitigate risk versus legacy systems.
To learn more, check out the Trusting Zero Trust webinar, available on-demand.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or email@example.com to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.