Building a Zero Trust network infrastructure in five steps

By Laurent Bouchoucha, Jean-Pierre Kellermann and Sébastien Claret, Alcatel-Lucent Enterprise

Zero Trust is not a new concept. However, the pandemic and the transformation towards a more digital society have highlighted issues that have rarely been studied in business and the public sector before.

Society has more and more connected devices (IoT), for both personal and professional use. This equipment has been designed to provide a single service, and unfortunately, security is not the device’s priority. The lack of in-built security makes them vulnerable to attacks, but also creates a potential route into the entire organisation’s network for attackers.

As companies embark on a digital transformation journey (IoT, BYOD, teleworking, etc.), it is imperative that their network infrastructure is secure. Network segmentation, one of the principles of Zero Trust, makes it possible to prevent attacks. As soon as a compromise on a device is reported, the potential for an attack can be reduced and lateral movements on the network can be limited, so as not to affect other connected systems.

What is Zero Trust?

In the field of business computing and enterprise, network segmentation currently has two approaches depending on the existing degree of trust. Historically, the boundary of trust is physical and implicit, so the computer network is protected by a firewall. The corporate network (LAN) is secure at the simplest level: what is inside is protected from the outside. However, this approach has had to evolve as the risk of threat has become greater.

In the case of Zero Trust, trust is dynamic and adaptable and is no longer assumed even within the network. The guiding principle is that the structure acts as if there are already attackers present in the system. The first step is network access control (NAC) – the identification of objects and the authentication of connected users. Based on these factors, a first level of macro-segmentation is set up, with the use of firewalls, to filter traffic between different classes of objects and users. For example, you could isolate surveillance cameras and building management sensors. Then, based on identification, a second level of filtering, this time within a segment, makes it possible to refine and achieve micro-segmentation. In this second step, the goal is to prevent the surveillance cameras from communicating with each other within the same network segment.

Why is Zero Trust now so important?

As an intelligent mix between micro- and macro-segmentation, the Zero Trust approach proposes to build a restricted and mobile security perimeter around each user and object. An organisation can then manage network access controls, define the different authorisations (access by job role), and secure and contain threats, thanks to a strong segmentation of the network, which constantly searches for inappropriate or suspicious behaviour.

The past 18 months have shown us that cyberattacks are on the rise, and the costs to the company can be vast. In addition, hackers are using increasingly sophisticated and malicious attacks. Because Zero Trust requires the identification and authentication of each device and user before allowing access to the network, it makes it possible to contain, or even avoid, many attacks. This is thanks to network segmentation which greatly restricts the range and spread of an attack.

Currently, the new network functionalities allow the Zero Trust strategy to be implemented, which proportionately increases the level of defence against the multiplication and sophistication of cyberattacks.

How to structure a micro-segmented network in five steps?

While it is relatively easy to build a Zero Trust network from scratch (new premises, new structure, etc.), most companies already have an existing network in place. The challenge is therefore to harmonise approaches and develop the network to meet the needs of the organisation, while securing it from attacks.

Here is a five-point methodology:

1- Monitor: identify all equipment, peripherals, connected devices (from the tablet to the Wi-Fi vacuum cleaner for example) and authenticate all the people that have access to the network. An object inventory is created and populated automatically.

2- Validate: control all the connected devices and invalidate those which are not justified for the activity, as they increase the possibility of attack. This is done by applying the principle of least privilege: granting the minimum permissions required to perform a task. If the existing network shows non-compliant equipment, it will be necessary to implement a restoration or remediation plan.

3-Plan: know all the users’ equipment, as well as their workflow and the traffic generated to transform this data into a security policy that intelligently combines macro-segmentation (input/output control) and micro-segmentation (fine-grained security rules).

4- Simulate: apply in parallel identification, authentication, and security policy in “fail open” mode: all equipment will be authorised and network behaviour logged and indexed, in order to set up authorisation schemes and an adapted network security policy. This critical step will refine the security policy while ensuring that normal activity is not impacted.

5- Enforce: in this final phase the “fail open” becomes “fail close”:  authentication failures are no longer tolerated, all unreferenced users or devices are refused, all illegitimate flows are stopped. Network monitoring is immediate to verify that all devices are identified, users are authenticated to be authorised on the network or could possibly be quarantined while security checks take place.

To conclude, on all networks, the Zero Trust approach makes it possible to identify traffic, automatically store objects in an inventory, create scheduled rules for the network, and share user and IoT profiles according to rules. It also makes it possible to determine the central IDS or switches’ DoS attacks and optionally apply quarantine for suspicious flows in a restricted and dynamic perimeter.

For companies and organisations, it is a question of ensuring all IT hardware, in addition to peripherals, is secure and employees are protected.

Zero Trust is both an authentication strategy and a consistent security policy across the network infrastructure, implemented in line with the needs of users and connected technologies. The intelligent combination of macro-segmentation and micro-segmentation, with the possible quarantine in case of breach of security rules, ensures the highest degree of security for your network infrastructure. In an increasingly VUCA (Volatile, Uncertain, Complex and Ambiguous) world, the Zero Trust approach is the most likely to guarantee the security of computer networks and business assets.

About Alcatel-Lucent Enterprise

Alcatel-Lucent Enterprise delivers the customised technology experiences enterprises need to make everything connect.

ALE provides digital-age networking, communications and cloud solutions with services tailored to ensure customers’ success, with flexible business models in the cloud, on premises, and hybrid. All solutions have built-in security and limited environmental impact.

Over 100 years of innovation have made Alcatel-Lucent Enterprise a trusted advisor to more than a million customers all over the world.

With headquarters in France and 3,400 business partners worldwide, Alcatel-Lucent Enterprise achieves an effective global reach with a local focus.

al-enterprise.com | LinkedIn| Twitter | Facebook| Instagram

Laurent Bouchoucha

Jean-Pierre

Sébastien Claret

By Laurent Bouchoucha, Jean-Pierre Kellermann and Sébastien Claret, Alcatel-Lucent Enterprise

Zero Trust is not a new concept. However, the pandemic and the transformation towards a more digital society have highlighted issues that have rarely been studied in business and the public sector before.

Society has more and more connected devices (IoT), for both personal and professional use. This equipment has been designed to provide a single service, and unfortunately, security is not the device’s priority. The lack of in-built security makes them vulnerable to attacks, but also creates a potential route into the entire organisation’s network for attackers.

As companies embark on a digital transformation journey (IoT, BYOD, teleworking, etc.), it is imperative that their network infrastructure is secure. Network segmentation, one of the principles of Zero Trust, makes it possible to prevent attacks. As soon as a compromise on a device is reported, the potential for an attack can be reduced and lateral movements on the network can be limited, so as not to affect other connected systems.

What is Zero Trust?

In the field of business computing and enterprise, network segmentation currently has two approaches depending on the existing degree of trust. Historically, the boundary of trust is physical and implicit, so the computer network is protected by a firewall. The corporate network (LAN) is secure at the simplest level: what is inside is protected from the outside. However, this approach has had to evolve as the risk of threat has become greater.

In the case of Zero Trust, trust is dynamic and adaptable and is no longer assumed even within the network. The guiding principle is that the structure acts as if there are already attackers present in the system. The first step is network access control (NAC) – the identification of objects and the authentication of connected users. Based on these factors, a first level of macro-segmentation is set up, with the use of firewalls, to filter traffic between different classes of objects and users. For example, you could isolate surveillance cameras and building management sensors. Then, based on identification, a second level of filtering, this time within a segment, makes it possible to refine and achieve micro-segmentation. In this second step, the goal is to prevent the surveillance cameras from communicating with each other within the same network segment.

Why is Zero Trust now so important?

As an intelligent mix between micro- and macro-segmentation, the Zero Trust approach proposes to build a restricted and mobile security perimeter around each user and object. An organisation can then manage network access controls, define the different authorisations (access by job role), and secure and contain threats, thanks to a strong segmentation of the network, which constantly searches for inappropriate or suspicious behaviour.

The past 18 months have shown us that cyberattacks are on the rise, and the costs to the company can be vast. In addition, hackers are using increasingly sophisticated and malicious attacks. Because Zero Trust requires the identification and authentication of each device and user before allowing access to the network, it makes it possible to contain, or even avoid, many attacks. This is thanks to network segmentation which greatly restricts the range and spread of an attack.

Currently, the new network functionalities allow the Zero Trust strategy to be implemented, which proportionately increases the level of defence against the multiplication and sophistication of cyberattacks.

How to structure a micro-segmented network in five steps?

While it is relatively easy to build a Zero Trust network from scratch (new premises, new structure, etc.), most companies already have an existing network in place. The challenge is therefore to harmonise approaches and develop the network to meet the needs of the organisation, while securing it from attacks.

Here is a five-point methodology:

1- Monitor: identify all equipment, peripherals, connected devices (from the tablet to the Wi-Fi vacuum cleaner for example) and authenticate all the people that have access to the network. An object inventory is created and populated automatically.

2- Validate: control all the connected devices and invalidate those which are not justified for the activity, as they increase the possibility of attack. This is done by applying the principle of least privilege: granting the minimum permissions required to perform a task. If the existing network shows non-compliant equipment, it will be necessary to implement a restoration or remediation plan.

3-Plan: know all the users’ equipment, as well as their workflow and the traffic generated to transform this data into a security policy that intelligently combines macro-segmentation (input/output control) and micro-segmentation (fine-grained security rules).

4- Simulate: apply in parallel identification, authentication, and security policy in “fail open” mode: all equipment will be authorised and network behaviour logged and indexed, in order to set up authorisation schemes and an adapted network security policy. This critical step will refine the security policy while ensuring that normal activity is not impacted.

5- Enforce: in this final phase the “fail open” becomes “fail close”:  authentication failures are no longer tolerated, all unreferenced users or devices are refused, all illegitimate flows are stopped. Network monitoring is immediate to verify that all devices are identified, users are authenticated to be authorised on the network or could possibly be quarantined while security checks take place.

To conclude, on all networks, the Zero Trust approach makes it possible to identify traffic, automatically store objects in an inventory, create scheduled rules for the network, and share user and IoT profiles according to rules. It also makes it possible to determine the central IDS or switches’ DoS attacks and optionally apply quarantine for suspicious flows in a restricted and dynamic perimeter.

For companies and organisations, it is a question of ensuring all IT hardware, in addition to peripherals, is secure and employees are protected.

Zero Trust is both an authentication strategy and a consistent security policy across the network infrastructure, implemented in line with the needs of users and connected technologies. The intelligent combination of macro-segmentation and micro-segmentation, with the possible quarantine in case of breach of security rules, ensures the highest degree of security for your network infrastructure. In an increasingly VUCA (Volatile, Uncertain, Complex and Ambiguous) world, the Zero Trust approach is the most likely to guarantee the security of computer networks and business assets.

About Alcatel-Lucent Enterprise

Alcatel-Lucent Enterprise delivers the customised technology experiences enterprises need to make everything connect.

ALE provides digital-age networking, communications and cloud solutions with services tailored to ensure customers’ success, with flexible business models in the cloud, on premises, and hybrid. All solutions have built-in security and limited environmental impact.

Over 100 years of innovation have made Alcatel-Lucent Enterprise a trusted advisor to more than a million customers all over the world.

With headquarters in France and 3,400 business partners worldwide, Alcatel-Lucent Enterprise achieves an effective global reach with a local focus.

al-enterprise.com | LinkedIn| Twitter | Facebook| Instagram

Laurent Bouchoucha

Jean-Pierre

Sébastien Claret