Publicized data breaches or network compromises are becoming almost a daily event, with probably hundreds or more event occurring that are not disclosed. In order for companies to protect their users, data and resources measures must be taken that isolate and protect critical systems and resources.

The recent breach of the National Bank of Blacksburg in Virginia resulted in the theft of over $2.4 million over an eight-month period. This compromise and breach started with a targeted phishing email which allowed the intruders to install malware on the victim’s computer and then move laterally, compromising a second system that had access to the STAR network, which handles debit card transactions.

Having mission critical computers and systems, such as the STAR network at the National Bank of Blacksburg, on networks that can be readily accessed by at-risk user computers and workstations introduces a level of risk and exposure that the corporate boardroom executives need to start losing sleep over. Critical systems need to be isolated and protected since no one, no system, no application can be trusted in today’s environment.

Zero Trust with segmentation can solve the problems we face and is the direction that enterprises must take. In order to effectively isolate and protect users, computers and application traffic must pass through a segmentation gateway or NGFW that can perform real-time threat prevention, including for encrypted traffic, which is becoming a larger percentage of overall network traffic. Segmentation gateways will not only protect critical systems and data, but also help contain a breach or compromise from moving laterally through the network.

The principles of Zero Trust that should be followed include:

1. Identification of sensitive data and systems
2. Understanding and mapping of the data flows of the sensitive data
3. Architecting the network to isolate and protect the sensitive data and systems
4. Continuously monitor and adjust the ecosystem

Unfortunately, the traditional network core switch still sold by all network vendors still tout their port densities, routing capabilities and throughput instead of the ability to inspect traffic and protect systems in real-time. Until switch vendors add threat prevention functionality to their switches, network engineers must change their traditional network design thinking and use the tools and equipment available now to protect their critical systems, data and endpoints.