Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading

Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading.

Last week Forrester Research began promoting a new term, “Zero Trust,” to define its new security model. The new model’s underlying principle is “trust no one.” In other words, you cannot trust the servers and the workstations inside your network any more than you could trust external third parties.

Given the nature of the changes we’ve seen during the last 3 to 5 years in technology and the threat landscape, we agree. We have seen a huge increase in what we call “inside-out” attacks where insiders are lured to malware-laden web pages on, for example, Facebook, Twitter, YouTube, and even the New York Times. The malware gets downloaded to the unsuspecting person’s workstation along with the normal content on the web page. From there, the malware steals the person’s credentials to access bank accounts, internal intellectual property, customer records, or whatever the attackers can readily convert to cash. This type of malware is not the traditional single-purpose virus or worm. Rather it’s an agent controlled by remote servers that can modify its functions. These “bots” have gone undetected for days, weeks, months, even years.

From a security perspective, this type of attack looks very similar to a malicious insider, and information security must protect against it along with the traditional “outside-in” attack method.

From my perspective, Forrester’s Zero Trust model and Cymbel’s next-generation defense in-depth architecture are the same when it comes to network security. Our Approach, based on the SANS 20 Critical Security Controls for Effective Cyber Defense, is broader.

However, there is one area where I disagree somewhat with John Kindervag, the Forrester analyst discussing the Zero Trust model, who is reported to have said:

It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function.

Gee, how did he leave out packet shaping? I have no doubt that there are vendors attempting to do all these functions in a single appliance, but it reminds me of Network Access Control in 2007. NAC was going to subsume all manner of security functions in a single appliance. The complexity was overwhelming. Furthermore, most organizations really don’t want all that functionality in one box. There is still the need for a defense-in-depth architecture, in our opinion.

Some level of function consolidation is surely reasonable and advantageous to organizations with limited resources, i.e. everyone!! However the expertise needed to develop and advance all of these different functions is virtually impossible to assemble in one company. For example, full packet capture is really about innovative data storage and retrieval. High performance, stream-based, application level, firewall/IPS is about innovative deep-packet inspection combined with clever hardware design. And data loss prevention requires proxies and semantics-based data classification algorithms.

While I am surely not saying that we can achieve nirvana now, the components of Cymbel’s next-generation defense-in-depth architecture can provide major improvements in network security today:

  • Next-Generation Firewall with application- and user-level, internal network segmentation, integrated intrusion prevention, and bandwidth management – Palo Alto Networks
  • 0-day threat and botnet command & control communications prevention – FireEye
  • Cloud-based web and email security – Zscaler
  • Device/software discovery and configuration change detection – Insightix, AccelOps
  • High Performance Full Packet Capture – Solera Networks
  • Layer 2, 3, 4 encryption – Certes Networks
  • User-based, behavioral anomaly detection using net flows and logs plus high-performance event correlation – Lancope

I look forward to learning more about Forrester’s Zero Trust model and working with partners who recognize the new landscape and respond with creative solutions for our clients.



“It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function

MPLS WAN Encryption – It’s time

Is MPLS secure? All the MPLS vendors use the term VPN (Virtual Private Network), implying some level of security. But in reality, MPLS is not encrypted and therefore subject to snooping. But of course, you have no way of knowing one way or the other.

Mike Fratto at Network Computing wrote a nice piece a couple of months ago explaining the situation.

If you talk to the WAN services folks at a carrier, their definition of a VPN will be an overlay network that is carried by another network over shared infrastructure. By the carrier’s definition, a telephone call over a PSTN is a VPN. The carrier definition is very different than the other definition of a VPN as an authenticated and encrypted layer 3 tunnel between two nodes, with one node being a network. The former definition assumes that the carriers employees are trustworthy. The latter definition doesn’t care if they are or aren’t.

In addition, compliance regimes like MA 201 CMR 17 and HIPAA are mandating WAN encryption.

To encrypt MPLS traffic and really all wide area network encryption, we recommend CipherOptics.

Enhanced by Zemanta