The terms network segmentation and Zero Trust are used more and more, and have become proper buzzwords. We also see an increase in the number of requests ‘to segment the network’. What is actually meant, is if we can help setting up a Zero Trust environment. Both terms are valid and certainly have enough to offer in the field of security. Below, I’ll explain what both terms mean and why they are not the same.
Zero Trust is a strategy and a great tool to shape security. It makes a connection between ‘what data (or crown jewels) do I have’ and ‘what policy (such as legislation and regulations) do I want, or should I apply’. This way, creating and implementing a policy becomes more manageable.
The basis of Zero Trust lies in determining the micro segments (formerly MCAPs). Each micro segment is based on a certain type of data, which logically includes an appropriate policy. The policy is not limited to firewall rules, which is often assumed in the context of micro segmentation, but can also describe that data must be stored encrypted or that endpoint protection is required.
As a result, the Zero Trust Risk Map – the description of the segments and the policy, which is often based on the BIV or CIA score – is an abstraction of the actual structure. Zero Trust is not only used in environments where a firewall is available, but is much more versatile. Think, for example, of cloud environments, and in particular SaaS solutions.
Once the Zero Trust Risk Map has been drawn up, an assessment is made of how the implementation should take place. In comparison, we can draw up legislation and regulations, but without enforcement the usefulness is very limited. This is one of the areas where network segmentation plays a role.
Network segmentation is one of the most common ways to implement a Zero Trust Risk Map. But it can certainly do more; a policy can also prescribe, for example, that certain data must explicitly run on certain hardware or that each endpoint within a segment should make use of an endpoint security solution.
In most cases, network segmentation actually divides the network into several network segments, often using VLANs and subnets. The traffic is passed through a next-gen firewall to enforce or maintain the particular policy or part of it. For example, who is allowed to access this data when and with what application? Simply routing the traffic is basically also network segmentation, but adds little or nothing to security.
Network segmentation can also mean that traffic flows are separated without actually segmenting the network. As is the case with solutions like VMware NSX, Cisco ACI and Nutanix Flow. Here, the implementation is more product-dependent and not based on an open standard.
Zero Trust is a strategy that results in a Zero Trust Risk Map, which determines what data should be protected in what way(s). Next, the Zero Trust Risk Map will have to be implemented, and one of the implementation methods is network segmentation. Network segmentation can therefore give substance to the Zero Trust strategy, but is not Zero Trust in itself.