{"id":2076,"date":"2012-02-21T05:49:30","date_gmt":"2012-02-21T13:49:30","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=2076"},"modified":"2022-04-05T00:50:44","modified_gmt":"2022-04-05T07:50:44","slug":"a-qa-on-zero-trust","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2012\/02\/a-qa-on-zero-trust\/","title":{"rendered":"A QA on Zero Trust"},"content":{"rendered":"<p>I mentioned in my last blog that we\u2019re kicking off a <strong><a title=\"Data Center Summit\" href=\"https:\/\/www.paloaltonetworks.com\" target=\"_blank\" rel=\"noopener\">Data Center Summit<\/a><\/strong> starting in Dallas, Texas today. One of the special guests at our seminar will be John Kindervag from Forrester Research, presenting on the Zero Trust Model. If you haven\u2019t yet heard of Zero Trust, check out the video <a title=\"Zero Trust Video\" href=\"http:\/\/www.paloaltonetworks.com\/literature\/video\/forrester-kindervag.php\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>With the current state of security attacks on organizations, this new security model, called \u201cZero Trust\u201d recommends that enterprise take a new architectural approach to securing their networks. Kindervag\u2019s model recommends trusting no one (not even internal users), ensuring secure access to all resources, and inspecting and logging all traffic among other things. He also introduces what he calls a network segmentation gateway or a \u201cfirewall on steroids\u201d that does firewall, IPS, content filtering and encryption without a performance impact.<\/p>\n<p>There has been lots written up on this Zero Trust model, but we really wanted to drill down on the actual implementation of the Zero Trust model, in particular in the data center. We spoke with John Kindervag, security analyst at Forrester to get his perspective:<\/p>\n<p><!--more--><\/p>\n<p><strong>Question: What\u2019s with the state of attacks recently? Zappos, Justice department? Are attackers just getting better at finding holes in networks, or are enterprises just not thinking of security in the right manner?<\/strong><\/p>\n<p><strong>Kindervag:<\/strong> <em>I doubt that much has changed other than public awareness of these breaches. The fact that the SEC requires disclosure means that most companies will have to at least acknowledge breaches. Look at Verisign. They weren\u2019t exactly forthcoming about their recently reported breaches. The SEC forced their hand. Compliance mandates such as that from the SEC or the PCI Security Standards council have gone a long way to increasing public \u2013 and corporate executive \u2013 awareness of these breaches.<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\"alignleft size-full wp-image-2085 lozad\"  data-src=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2012\/02\/fingerprint.jpg\" alt=\"\" width=\"259\" height=\"194\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2012\/02\/fingerprint.jpg 259w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2012\/02\/fingerprint-230x172.jpg 230w\" sizes=\"auto, (max-width: 259px) 100vw, 259px\" \/><\/p>\n<p><em>Having said that, I do believe that the gap between the attackers and the enterprise is getting wider. Attackers are mutating their attacks in near-real time. Enterprises are trying to secure old, clunky network designs. One global CIO told me \u201cIt just not fair.\u201d That\u2019s true. Enterprises continue to be encumbered by old designs, broken processes and apathy about security at the highest levels of the organization. Those things must change before we stand a chance in fighting off these attacks.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Question: How does the Zero Trust Model apply to a data center environment? <\/strong><\/p>\n<p><strong>Kindervag<\/strong>: <em>Zero Trust is data centric which is precisely why it applies to the data center. It mandates building the network from the inside out. This means the controls start at the data itself and then we figure out the transport later. Too many companies are focused on the transport \u2013 the network \u2013 or the place \u2013 the physical data center \u2013 when they should be focused on the data. That\u2019s what attackers are trying to steal.<\/em><\/p>\n<p><strong>Question: You discuss the importance of segmentation in Zero Trust. This is important to limit the scope of compliance or limit the scope of vulnerabilities. What\u2019s the best practice you recommend for segmentation \u2013 VLANs, physical segmentation, zones?<\/strong><\/p>\n<p><strong>Kindervag:<\/strong> <em>Modern networks must be segmented. Flat networks are too easy to compromise. Throw in the reality that many compliance initiatives can only be effectively met through segmented networks and you have a convergence of outside pressure that will force network designers to adopt segmented networks. That\u2019s why it\u2019s important to understand what equals segmentation.<\/em><\/p>\n<p><em>Segmentation must enforce separation of traffic. VLANs just don\u2019t do that. They were never designed for security and as a result are inherently insecure. If we want to mitigate the ability of attackers to own our entire network, it must be segmented by a control that does the segmentation that can be enforced by affecting traffic that tries to bypass segmentation controls. The controls must be at Layer 3 or above. In the real world segmentation is done with firewall technology of some type, which is why Zero Trust relies on Uber-Firewalls we call Segmentation Gateways.<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\"alignright size-medium wp-image-2083 lozad\"  data-src=\"http:\/\/www.paloaltonetworks.com\/researchcenter\/wp-content\/uploads\/2012\/02\/secure1-230x280.jpg\" alt=\"\" width=\"230\" height=\"280\" srcset=\"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2012\/02\/secure1-230x280.jpg 230w, https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2012\/02\/secure1.jpg 480w\" sizes=\"auto, (max-width: 230px) 100vw, 230px\" \/><\/p>\n<p><strong>Question: How can customers start implementing Zero Trust in their data center, in particular when they are considering new designs like virtualization or Ethernet fabric architectures?<\/strong><\/p>\n<p><strong>Kindervag:<\/strong> \u00a0<em>Zero Trust allows you to secure evolve your network and securely adopt new technologies. Zero Trust as a <\/em><em>model and a concept translates to any environment and Zero Trust as a design methodology helps secure virtualization by default. It creates virtualization-friendly Layer 2 segments that make deploying virtualization easy. Plus, fabric architectures fit well with Zero Trust. Fabric architectures have given very little thought to security and Zero Trust gives fabric technologies a path towards security.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Thank you John for a great explanation of how Zero Trust applies in the data center. At our data center summit, we\u2019ll be talking about this in-depth. In particular the afternoon technical segment goes into detail on how customers are implementing network security in the data center. We\u2019ll also describe how you segment servers appropriately as advocated by Zero Trust, where traffic in and out of a segment is only allowed via the Palo Alto Networks next-generation firewall. Calling all you fellow data center security geeks out there....I hope to see you at one of our <strong><a title=\"Data Center Summit\" href=\"https:\/\/www.paloaltonetworks.com\" target=\"_blank\" rel=\"noopener\">Data Center Summit venues<\/a><\/strong>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I mentioned in my last blog that we\u2019re kicking off a Data Center Summit starting in Dallas, Texas today. One of the special guests at our seminar will be John Kindervag from &hellip;<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[75],"tags":[12,72,79,80,73],"coauthors":[771],"class_list":["post-2076","post","type-post","status-publish","format-standard","hentry","category-data-center-2","tag-data-center","tag-data-center-summit","tag-ethernet-fabric","tag-network-segmentation","tag-zero-trust"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/2076","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=2076"}],"version-history":[{"count":31,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/2076\/revisions"}],"predecessor-version":[{"id":2187,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/2076\/revisions\/2187"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=2076"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=2076"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=2076"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=2076"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}