Identity-based microsegmentation has rapidly become accepted as a best practice for cloud security and enabling zero trust. In Gartner’s April 2020 report, Market Guide for Cloud Workload Protection Platforms (Gartner subscription required), analysts Neil MacDonald and Tom Croll write:
“Some vendors focus exclusively on microsegmentation. In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero trust network segmentation) of east/west traffic in data centers.”
Additionally, identity-based segmentation and network visibility is identified as a foundational control on Gartner’s Risk-Based Hierarchy of Workload Protection Controls.
When platforms claim to build zero trust policies using identity, it is critical to ensure they are not just slapping a label on firewall-based policies, which carry all the same security risks as a legacy solution that builds policies based on network addresses.
Identity is the key to effective zero trust policies. Most microsegmentation and zero trust solutions are based on firewalls, which rely on network addresses. That’s a problematic approach for many reasons. First, networks change constantly, which means policies tied to the network need to be continually updated as applications and devices move. That’s difficult enough to do in a data center, but it’s effectively impossible in the cloud and other autoscaling environments where IP addresses are ephemeral.
The even bigger problem with using network address-based approaches for segmentation is that these tools cannot identify *what* is communicating (i.e., the identity of the software that is communicating); they can only tell you *how* it is communicating (e.g., from what IP address, port, or protocol). It’s as if the FBI intercepted a conversation between two suspected spies, and as soon as they verify that their suspects are speaking in English (i.e., protocol) over a domestic cellular network (e.g., the devices), the agents assume that these communications are completely innocent without at all considering the identities of the spies. That’s almost exactly what network-based security systems do. They only look at the protocol and the network address. So long as they are deemed “safe,” communications are allowed, even though IT has no idea exactly what is trying to communicate.
Another benefit to an identity-based approach is that it greatly simplifies policy management for microsegmentation—you can protect a segment with as few as seven identity-based policies vs. hundreds of address-based rules. To illustrate, let’s take a typical environment with 15 billion network events. If we “uniquify” these and eliminate redundant events, that number will drop down to one to two million unique network events. But we can go further—let’s de-duplicate those one to two million events based on similar apps (i.e., using identity) with similar interactions. Now we drop down to 267,000, but we’re not done. Let’s use machine learning (ML) to reduce it further via similarity scoring. That brings us to 40,000 unique interactions, which can be codified into fewer than 100 identity-based policies for the entire environment vs. tens of thousands of address-based rules.
When you look at interactions on a network, you’ll see a lot of randomness—this address to that address over this port—which appears to be a massive, unwieldy, and complicated mess of interactions. You could never achieve a microsegmentation outcome just by looking at it. But by using ML and identity, IT can compress it all down to a very small set of manageable policies. Using identity makes microsegmentation a solvable problem.
Zscaler Workload Segmentation begins by mapping the application communication topology using ML, a process that takes about 72 hours (a huge improvement over the months it takes to perform manually). Once complete, we can measure the total network paths available and the application paths that are actually required by the business applications. Typically, only a fraction of pathways is required. We can eliminate all unnecessary communications paths to reduce the attack surface—typically, our ML algorithm can shrink the number of paths by about 90 percent, while ensuring full coverage of the environment.
To enable identity-based microsegmentation, each device and software asset is assigned an immutable, unique identity based on dozens of properties of the asset itself, such as a SHA-256 hash of a binary or the UUID of the BIOS. Identities extend down to the subprocess level, so we can uniquely identify even individual Java JAR and Python scripts. Identity creation and management is fully automated to simplify operations.
Zscaler verifies the identities of communicating software in real time. This zero trust approach prevents unapproved and malicious software from communicating. Piggybacking attacks using approved firewall rules become a thing of the past. Identity is the secret to achieving simpler operations and delivering stronger protection compared to traditional network security controls.
Because the identities of communicating software are so specific, Zscaler simplifies the number of policies required to protect a segment. As noted above, our platform builds no more than seven policies for each segment that establish exactly which applications and devices can communicate with one another. And because segmentation policies are built using software identity, even if the underlying network changes, policies don’t break. If the system can’t verify the unique identity of what’s trying to communicate, no communication occurs.
With Zscaler Workload Segmentation, creating segments and the associated policies takes just seconds with a single click.
Peter Smith is the Zscaler VP of Secure Workload Communication