Intent-Based Segmentation: Beyond Zero Trust

This blog is a summary of the article, “Zero Trust is Not Enough: The Case for Intent-Based Segmentation,” written by Fortinet’s Jonathan Nguyen-Duy, and published on the Network Computing website on March 22, 2019.

Networks designed with implicit trust, even if small, simplifies allowing data and applications to move around inside the perimeter. It’s also one of the reasons why network breaches can remain undetected for so long, malicious insiders are able to steal so much data, and unintentional errors can cause so much damage.

Even minimal implicit trust in a network needs to be replaced with a Zero Trust model that mandates a “never trust, always verify, and enforce least privilege” approach to access, from both outside and inside the network. 

It starts with the premise that traffic inside the perimeter should not be more trusted any more than outside traffic. Instead, all traffic should be inspected and logged, and all requests for network access should be verified, authenticated and validated on a need-to-know basis.

The Limits of Zero Trust

While Zero Trust is gaining in popularity, there are also a number of limitations to such a model. These include:

• If you restrict access too tightly or take too long to verify an access request, you create bottlenecks that can cripple your network.
• Zero Trust doesn’t address issues such as DDoS attacks, human error, poorly patched or misconfigured devices, and even a number of common network issues. 
• Perimeter-based security devices can be quickly overwhelmed by network traffic that is not constrained by regulated perimeter connection speeds.
• Inspecting encrypted traffic is exceptionally CPU-intensive, and will force most traditional NGFW solutions to their knees.
• Point defense products, designed to protect a specific spot on the perimeter, can impose limitations on the network’s ability to quickly adapt to changing requirements and shifting resources.
• VLANs—historically used to segment traffic—rarely have adequate security, and most are unable to seamlessly span distributed network environments.  

The Need for Dynamic Segmentation

A better approach is to identify, track, and isolate devices, applications, and workflows based on business and security requirements. This has two components:

Network Access Control can identify and keep track of any device connecting to the network, determine its role and privilege, and limit it to a specific role within the network.

Internal Segmentation Firewalls (ISFWs) provide the scalability, span of control, and performance that traditional NGFW solutions and VLANs simply can’t. Administrators can: 

• Dynamically segment the network
• Assign devices to those segments at the moment of access
• Restrict applications and workflows to physical or virtual locations, groups, or devices
• Assign levels of security inspection
• Permit cross-segment movement based on policy

Intelligent, Intent-based Segmentation

However, even these solutions rarely move fast enough to accommodate digital transformation requirements.

New Intent-based Segmentation, however, can interpret business and security requirements, automatically convert them into a specific segmentation policy that spans the distributed network to protect and isolate workflows and application along their entire transactional path, and do so at digital speeds.

In addition to interpreting business intent on the front end, Intent-based Segmentation also relies on an integrated security framework that enables different tools deployed in different segments of the network to see and interact with each other.  This allows them to detect and respond to threats occurring anywhere across the distributed environment, and dynamically adapt the policies governing a network segment. By combining traditional segmentation and Zero Trust principles, Intent-based Segmentation offers a holistic, integrated security architecture that can adapt to changing requirements, detect and mitigate advanced threats, as well as grant variable access on need-to -know basis.

                                                                                                                                                                          —Jonathan Nguyen-Duy, March 22, 2019

Conclusion

The paradox of today’s networks is that while applications, and workflows need to move freely across a distributed network, open environments allow attackers to also easily move across that network to cause damage. Intent-based Segmentation solves that problem by enabling the flexibility and adaptability that today's networks require, without compromising on security or performance.

This blog is a summary of the article, “Zero Trust is Not Enough: The Case for Intent-Based Segmentation,” written by Fortinet’s Jonathan Nguyen-Duy, and published on the Network Computing website on March 22, 2019.

Discover more about the business benefits of deploying Intent-based Segmentation including improving security posture, reducing risks, achieving compliance, and more.

Read more about the Fortinet Security Fabric and how Fortinet is delivering solutions for the Third Generation of Network Security.