Zero Trust Networks: Best Practices To “Divide and Rule” Your Network

By Dana Katz, Product Marketing Manager

Zero Trust security is no longer just a concept. It has become an essential security strategy that helps organizations protect their valuable data in a “perimeter-everywhere” world. Implementing Zero Trust Networks, the key principle of the Zero Trust security model, is crucial in preventing malicious lateral movement within the network.

In this blog post, we will share the best practices and technologies enabling the practical implementation of Zero Trust Networks.

Today, 34% of cyber-attacks are perpetrated by insiders[1], making it clear that legacy security infrastructures, characterized with flat networks, are dangerously ineffective. Using stolen credentials and compromised devices, hackers have managed to gain privileged access, move laterally within enterprise networks, and steal valuable data for months, without being detected.  As evidence, 1.76 billion records were leaked in January 2019 alone [2].

Zero Trust Networks To The Rescue

Zero Trust Networks is about having the ability to “Divide and Rule” your network in order to reduce the risk of lateral movement. The key idea is to create a network segmentation by placing multiple inspection points within the network to block malicious or unauthorized lateral movement; so in the event of a breach, the threat is easily contained and isolated.

The best practice is to create a very granular segmentation by defining “least privileged” access control strategy; where user/system can gain access only to the resources that they are meant to use. For example, an access to source code should be granted only to R&D team members. This way only the absolute minimum, legitimate traffic between segments is allowed, while everything else is automatically denied.

Read more on our Ultimate Guide to Zero Trust Security.

Figure 1: Zero Trust Networks Best Practices

Best Practices To Zero Trust Networks

  • Identify the data and assets that are valuable to the organization, e.g. the customer database, source code, smart building management systems, etc.
  • Classify the level of sensitivity of each asset – such as ‘highly restricted,’ e.g. the customer database, ‘restricted,’ e.g. the HR portal, which is open to all employees, including the level of sensitivity of public assets, such as the corporate website.
  • Map data flows among all entities across your network, including:
    1. North-bound traffic, such as sales teams accessing via managed devices on the corporate network only.
    2. East-West traffic, such as from a frontend web portal to backend servers.
    3. South-bound traffic, such as from the website backend server to Google Analytics via the internet.
  • Group assets with similar functionalities and sensitivity levels into the same micro-segment. For example, all R&D internal assets, such as source code and ticket management system.
  • Deploy a segmentation gateway, whether virtual or physical, to achieve control over each segment.
  • Define a “least privilege” access policy to each of these assets, for example, allowing each R&D group to access only their own team’s source code.

Tip: Find the right balance between the granularity of the segmentation and the number of perimeters or micro-segments that can effectively and efficiently be managed.

Read our Ultimate Guide to Zero Trust Security for more best practices

Adopt Zero Trust Networks With Check Point Security Gateways

Check Point Security Gateways enable you to micro-segment the network across your entire IT infrastructure, and across private/public cloud and corporate network environments. They also enable you to apply a unified policy for users, devices applications, and zones.

Integration with Check Point Identity Awareness and Application Control enables you to set and enforce a granular policy that is context-identity-aware and to achieve a “Least Privileged” access control. For example, you can limit access to specific users on specific devices, during specific times, and in certain geolocations. You can limit the usage of applications and features within them and limit access to specific elements of data, e.g. credit card, source code, or Social Security numbers.

With full control of all east-west traffic at the application level, these security gateways accurately inspect and block unauthorized traffic between segments, while allowing only the absolute minimum, legitimate traffic.

Figure 2: Security Gateways for Zero Trust Networks

Take a few moments to watch this video to learn how Check Point Infinity, our consolidated security architecture, lets you fully and successfully implement all of the principles of the Zero Trust security model.

Click here to learn about Absolute Zero Trust by Check Point Infinity.

[1] Verizon DBIR 2019

[2] 2 List of data breaches and cyber attacks in January 2019, IT governance