What is Zero Trust Networking?
Zero Trust is a security model first introduced by Forrester Research in 2010 that flips previously held thinking by not trusting anything person or system inside and outside of the corporate network (perimeter), to verify before establishing trust, and to grant the minimal access needed to complete its function. Zero Trust was born from the belief that the fundamental problem is too much open access and connections. Add to that the changing definition of “corporate network perimeter” with public cloud infrastructure, SaaS, personal devices for corporate use, and microservices architecture which change the surface area for risk.
Traditional security practices focused on securing the perimeter, known as castle-and-moat, to keep the threats outside of the corporate network and prevent their ability to gain access. Even with a secure perimeter, internal systems and data are compromised if a malicious actor gains access or an internal system has a CVE that takes down other systems.
The fundamentals of the Zero Trust model include the elimination of trust by default, enabling least-privileged access, microsegmentation of networks, and analytics for risk management. Elimination of trust by default and least-privilege go hand in hand to verify the identity of the person or system before granting access to a network or system and granting the minimal amount of access necessary. Network segmentation breaks up security perimeters into a smaller collection of networks without overlapping or minimal overlaps to limit cascading issues if one network is breached or compromised. Visibility is critical to monitor ongoing network traffic, auditing, and to inspect for any anomalous activity.
Zero Trust for Microservices
Microservices architecture is dynamic, ephemeral, distributed, and breaks existing security paradigms and tooling. Additionally, because microservices are a collection of loosely coupled services the network between them is critical for a properly functioning application. The application level network has three distinct traffic patterns including Ingress (external client to the application), In cluster (service-to-service), and Egress (application to external client) are areas to apply zero trust.
Leveraging Envoy Proxy at the edge and in service mesh provide a highly performant and extensible data plane that can be configured and monitored through control planes at the single and multi-cluster level. Establish secure connections between individuals and digital assets with optional encryption of the most sensitive traffic with smaller networks of microservices with minimal overlap.
Microservices architecture is dynamic and breaks traditional security processes and tooling.
- Changing definition of corporate perimeter challenges security model
- Existing security tools designed for static, long lived environments
- Mix of private and public cloud infrastructure and software assets
- Access required by internal employees, customers, partners, and other systems
- Multiple points of entry and exit across applications in hybrid cloud
Modern API Infrastructure provides application level control over network behavior to implement zero trust.
- Security configurations are defined at the API level of each service
- Enforce the perimeter with WAF to filter out malicious traffic from entering the environment
- Define granular Auth policies to identify before granting access to specific services
- Apply rate limits at the Ingress and Service Mesh level to protect services
- Protect sensitive traffic with TLS/mTLS encryption
- Observability in Prometheus, Grafana, or a dashboard of your choice