Experts remind you that there is an even more reliable method than "trust, but check".
The US National Security Agency (NSA) has published new guidelines for implementing the Zero Trust concept, an advanced model for protecting corporate networks and data. The document will help commercial and government organizations protect their systems from cyber threats as much as possible.
The zero-trust architecture is fundamentally different from the classical approach, in which everything inside the local network is considered deliberately safe. Instead, it involves strict access control to all network resources, regardless of their location-inside or outside the perimeter. In other words, the system initially believes that there is a threat and that free movement through the infrastructure should not be allowed.
The full-fledged Zero Trust model is implemented in stages. It is important to consistently solve problems in components that can potentially serve as a springboard for cyber attacks. The NSA recommendations focus on strengthening the network and environment component, which covers the entire hardware and software infrastructure of the organization, as well as their interaction protocols.
Zero Trust provides multi-level protection by carefully mapping data flows, macro-and micro-segmentation, and using software-defined network solutions. For each of these areas, the guide describes four levels of maturity-from initial training to advanced stage with extensive implementation of network controls, monitoring, and management.
At the first stage, the company needs to fully visualize existing data flows — where and how they are stored, moved, and processed. A high level of maturity implies an exhaustive inventory and the ability to track any new or atypical routes.
Macro segmentation allows you to limit lateral movement across the network by creating separate segments for each business unit. For example, accounting employees should not have access to the resources of the HR department, if this is not required for the performance of their direct duties. This reduces the space for malware distribution.
The next step is micro-segmentation — splitting the network into small partitions with strict access rules between them.
As NSA experts explain, micro-segmentation involves isolating users, applications, or workflows into separate network segments to further reduce the attack surface and localize damage from hacking.
Maximum control at the micro-segmentation level is provided by software-defined network solutions (SDNs). They allow you to centrally manage traffic routing, provide increased visibility of network activity, and allow you to flexibly configure rules for each segment.
Designed according to the principles of zero trust, the architecture is able to withstand, detect and adequately respond to attempts by attackers to exploit vulnerabilities and spread across the network.
These NSA recommendations continue a whole series of Zero Trust guidelines. Earlier, the agency issued documents describing the general principles of this concept and its implementation in relation to the "user" component.
The US National Security Agency (NSA) has published new guidelines for implementing the Zero Trust concept, an advanced model for protecting corporate networks and data. The document will help commercial and government organizations protect their systems from cyber threats as much as possible.
The zero-trust architecture is fundamentally different from the classical approach, in which everything inside the local network is considered deliberately safe. Instead, it involves strict access control to all network resources, regardless of their location-inside or outside the perimeter. In other words, the system initially believes that there is a threat and that free movement through the infrastructure should not be allowed.
The full-fledged Zero Trust model is implemented in stages. It is important to consistently solve problems in components that can potentially serve as a springboard for cyber attacks. The NSA recommendations focus on strengthening the network and environment component, which covers the entire hardware and software infrastructure of the organization, as well as their interaction protocols.
Zero Trust provides multi-level protection by carefully mapping data flows, macro-and micro-segmentation, and using software-defined network solutions. For each of these areas, the guide describes four levels of maturity-from initial training to advanced stage with extensive implementation of network controls, monitoring, and management.
At the first stage, the company needs to fully visualize existing data flows — where and how they are stored, moved, and processed. A high level of maturity implies an exhaustive inventory and the ability to track any new or atypical routes.
Macro segmentation allows you to limit lateral movement across the network by creating separate segments for each business unit. For example, accounting employees should not have access to the resources of the HR department, if this is not required for the performance of their direct duties. This reduces the space for malware distribution.
The next step is micro-segmentation — splitting the network into small partitions with strict access rules between them.
As NSA experts explain, micro-segmentation involves isolating users, applications, or workflows into separate network segments to further reduce the attack surface and localize damage from hacking.
Maximum control at the micro-segmentation level is provided by software-defined network solutions (SDNs). They allow you to centrally manage traffic routing, provide increased visibility of network activity, and allow you to flexibly configure rules for each segment.
Designed according to the principles of zero trust, the architecture is able to withstand, detect and adequately respond to attempts by attackers to exploit vulnerabilities and spread across the network.
These NSA recommendations continue a whole series of Zero Trust guidelines. Earlier, the agency issued documents describing the general principles of this concept and its implementation in relation to the "user" component.
