Important Considerations To Get Your Zero Trust/MicroSegmentation Project Right ... A Network Artist's Perspective

Recently came across an interesting blog talking about When & How " Zero Trust " idea surfaced almost a decade ago and some really good approach author has put together when it comes to approach a Zero Trust project.

While the approach seems to be good for most part, I found few small gaps and some additional consideration those needs to well thought through in order to get it right in real world.

So here is quick summary - Feel free to add and correct. Again it's my personal perspective and nothing against the original blog author. 


1. By implementing Zero Trust, you just increased the Network Complexity in significant manner (I'll save P vs. NP analysis for later :)  ) and more importantly Operational Complexity. So Author sort of didn't touch on those important topics I guess. You don't want to end up increasing MTTR and MTTI.


2. It would require a big Cultural Change in the organization to be successful. Similar to NetDevOPS and other fancy stuff.



3. The point 2 and 3 seems to be going opposite to each other. You want every communication to be encrypted/Secure and you want to inspect every thing too. Probably no easy way to do that in real life.



4. Every encrypted communication will add into performance degradation probably. Even considering CPU and Memory are not issues any longer. You run into other fancy issues such as MTU, MSS. Having multiple hops involved for encryption/decryption for Inspection would add significant delay, Expose it to man in middle attack and breaks end to end communication flow. And never underestimate the madness things like NAT can add into this.



5. Convergence becomes a challenge. (Networking Convergence is not = Application Convergence)



6. How this model map to Overlay Networking is interesting area to get head around and think through. (Stitching those policies across Campus, WAN and DCs needs to considered too as most vendor solutions in these spaces are pretty much black boxes)



7. Is your NMS ready to Monitor such Network and Network Constructs ?



8. How do you map this model to Telco Services and SLAs will be worth taking a look



9. For application dependency mappings you need to invest into APMs. A pretty big investment usually I guess and takes good amount of time to not only deploy it but getting it right.



10. My Fav One - Are you solving the right problem to begin with. It's not only about doing right things but more importantly doing things right. :)

11. Impact on Customer Experience. Most organisations don't even want you to touch that area in case there is any impact....even if it's little.



It goes back to basic principle of Computer Science around State, Surface & Optimization. The Author seems to be more focussed on only single dimension of Surface (Though Surface itself has many micro areas to touch upon)



Maybe good time to look at OODA loop for Cyber Security ?



What would the governance model , business case to get funds will look like and how you would measure the success of such project ?


And never underestimate RFC 1925 rule 8 :)

HTH...
Deepak Arora
Evil CCIE