The Fast Mode spoke to Vincent Lomba, Chief Technical Security Officer at Alcatel-Lucent Enterprise on the impact of traffic visibility on ZTNA networks. Vincent joins us in a series of discussions with leading cybersecurity and networking vendors, assessing the evolution of ZTNA technologies, the roadmap for ZTNA deployments, the benefits of ZTNA for enterprise and telco networks, and the need for real-time traffic visibility technologies such as DPI for ZTNA.
Ariana: How well are zero-trust principles espoused by today’s networks?
Vincent: Being zero trust needs to encompass all elements of the network, including the users, from enterprises to academic institutions and beyond. This means that one can pretend to be really zero trust if, and only if, all authorised connected devices, all services using it, and all users (human, or m2m) have been identified and associated with a dedicated set of privileges, path traversal, bandwidth limitation, type and number of open ports and sessions, etc.
The “by default” exists but only to qualify a device, account, or service. Depending on the size and complexity, it can be very complicated to envisage such a holistic approach. The only way to accomplish this is to design the network to support it deep into its associated equipment (access, routing…). The management of rights must also be centralised to ensure full consistency.
The bigger the network, the less a full zero trust principle is consistently applied, mostly because some sites or services prefer to use their own onboarding rules or equipment’s brand, and are reluctant to rely on a central organisation to get access to services. So we could estimate that for large, widespread, and scarce networks, zero trust is likely to be partial.
Ariana: Why is ZTNA the future of enterprise security?
Vincent: There are many reasons that make ZTNA one of the cornerstones of enterprise security:
Firstly, it relies on best practices and even recommendations from security agencies to adopt some key principles:
- Network segregation: by creating dedicated VLANs, it is possible to define specific, highly controlled VLAN that unknown and potentially unsecure devices can connect to while having no further access rights.
- RBAC (Role-Based Access Control): In ZTNA, the “by default” role applies to any unknown device, service, or user. The default is to allow nothing other than a connection to the VLAN dedicated to “unknown”.
- Least Privilege: by minimising, for each VLAN the possibilities. For example, avoiding any surveillance cameras connecting to public internet, restricting only dedicated ports, minimising the number of connections per time unit, and limiting bandwidth to pre-defined values decrease the possibility of an attack from “potentially unsecured” devices.
Secondly, it allows for seamless network access and security management. Instead of having to deal with each and every service or device, applying RBAC and deploying the same rules across the entire network simplifies a lot of the daily operations. On the other hand, onboarding new equipment can be done by simply detecting an unknow device, and managing it in a semi – automated way (e.g. working by profiles to onboard surveillance camera, by service requested and not by MAC address or brand).
Lastly, it becomes easier to contain an attack. For example, if suspicious activity is detected, disabling all privileges and disallowing further trust of the VLAN where suspected behavior has been identified allows the rest of the services and equipment to continue to operate.
As CTSO, Vincent Lomba leads all cybersecurity projects and activities to ensure that products and solutions both developed and supported by Alcatel-Lucent Enterprise meet the highest applicable standards. He is responsible for helping the company to adopt all necessary best practices, from changing operational models to ensuring cybersecurity requirements are met in each and every part of the organization, while also aiding CxOs in their decisions. Vincent conducts internal and external ISO 27001 audits, and has recently initiated the global project to drive the organization towards NIS2 and CRA compliance.
This interview is a part of The Fast Mode's Next-Gen DPI Traffic Visibility for ZTNA segment, featuring over 40 leading cybersecurity and networking solution providers and their views on the importance of traffic visibility for ZTNA. A research report on this topic will be published in January 2024 - for more information, visit here.
