The role of visibility and analytics in zero trust architectures

Zero trust architecture (ZTA) is not a new concept, but with the White House Executive Order published earlier this year, many in the networking space have started to ask about how network visibility analytics fits into the equation. To answer that, we first need to look at what’s driving this shift.

Section 3 of the EO states that agencies (and organizations working with them) must adopt security best practices, advance toward ZTA, and accelerate movement to secure cloud services SaaS, IaaS and PaaS. It called for government agencies to update existing plans to prioritize resources for the adoption and use of cloud technology, and to develop plans to implement ZTA (using NIST’s migration steps). It also called on the Cybersecurity and Infrastructure Security Agency (CISA) to modernize to be fully functional with cloud-computing environments with ZTA, and for FedRAMP to develop security principles governing cloud service providers for incorporation into agency modernization efforts.

With all the vendor confusion around what is and is not ZTA, I’d like to explore its impact on network visibility (and the requirements).

According to NIST, “zero trust is the term for an evolving set of cybersecurity paradigms that moves defenses from static, network-based perimeters to focus on the users, assets and resources. ZTA uses zero trust principles to plan industrial and enterprise infrastructure and workflows.” The basic NIST tenets of this approach include:

• The entire enterprise private network is not considered an implicit trust zone
• Devices on the network may not be owned or configurable by the enterprise
• No resource is inherently trusted
• Not all enterprise resources are on enterprise-owned infrastructure
• Remote enterprise subjects and assets cannot fully trust their local network connection
• Assets and workflows moving between enterprise and non-enterprise infrastructure should have consistent security policies and postures.

But how is ZTA relevant to network visibility or network performance monitoring (NPM)?

There are three NIST architecture approaches for ZTA that have network visibility implications. The first is using enhanced identity governance, which (for example) means using identity of users to only allow access to specific resources once verified. The second is using micro-segmentation, e.g., when dividing cloud or data center assets or workloads, segmenting that traffic from others to contain but also prevent lateral movement. And finally, using network infrastructure and software defined perimeters, such as zero trust network access (ZTNA) which for example allows remote workers to connect to only specific resources.

NIST also describes monitoring of ZTA deployments. Outlining that network performance monitoring will need security capabilities for visibility. This includes that traffic should be inspected and logged on the network (and analyzed to identify and reach to potential attacks), including asset logs, network traffic and resource access actions.

Furthermore, NIST expresses concern about the inability to access all relevant and encrypted traffic – which may originate from non-enterprise-owned assets (such as contracted services that use the enterprise infrastructure to access the internet) or applications and/or services that are resistant to passive monitoring. Organizations that cannot perform deep packet inspection or examine encrypted traffic must use other methods to assess a possible attacker on the network.

The DoD breaks down ZTA architectures in seven trust pillars: User, Device, Network/Environment, App and Workload, Data, Visibility and Analytics, and Automation and Orchestration. Not surprisingly, NPM is directly relevant to the Visibility and Analytics pillar. Here are four ways that NPM fits into the ZTA architecture:

• NPM can offer contextual details and an understanding of performance, behavior and activity across other pillars including applications and users. For example, monitoring application performance over various portions of the network and/or pointing to security issues like denial of service or compromised network devices. NPM can also provide analysis of user behavior with respect to the traffic patterns of the applications from various user devices.
• NPM improves detection of anomalous behavior and enables stakeholders to make dynamic changes to security policies and real-time access decisions. For example, leveraging network AIOps to look for anomalous behavior within and across sites. If large volume of traffic is indicating some type of data exfiltration, that can be alerted and security policies adjusted. Another example is with micro segmented networks using VXLAN and having visibility of the various virtual networks, including traffic within each VXLAN. This is important to know to understand if proper security policies are working.
• NPM gives situational awareness of environments and triggers alerts for response. For example, in SD-WAN networks, applications can adjust paths taken, which may have performance and security consequences. NPM products that integrate to SD-WAN can alert on those types of conditions. Another example is in cloud networks where monitoring and alerting on rejected traffic can be used to look for suspicious activity and adjust cloud security policies accordingly.
• NPM captures and inspects traffic. It allows IT to investigate specific packets, accurately discover traffic on the network, and observe threats that are present to orient defenses. For example, using encrypted traffic analysis (ETA), packet analytics can be used to continuously monitor traffic for suspicious behavior and correlate that with threat indicators to narrow down high impact incidents in real time. This is becoming more important as much of the traffic is becoming encrypted and having visibility into that traffic is key for enterprise and cloud environments.

As organizations look to align with ZTA, visibility plays an important role in meeting new requirements.