Zero Trust Platform Can Microsegment Any Environment

Edgewise Networks has announced a new approach to perimeter-free, zero-trust access for distributed workloads. The company claims that its platform is the first zero trust platform that can quickly and automatically microsegment any environment—not only on premise, but in the cloud and in containers. The process prevents malicious lateral movement across the network by allowing only applications verified by their cryptographic identity to communicate.

“Many organizations have been talking about micro-segmentation for many years, but very few organizations have any idea how to get started in a practical, operational setting,” said Ed Amoroso, an analyst at TAG Cyber, a cyber security analysis company. “It’s focused on supporting practical deployment.”

Unlike the firewall, LAN-based approach to perimeter security, the new platform uses software identity instead of network addresses to create policies, allowing it to work essentially the same way in all three environments. Network addresses change constantly in auto-scaling environments like the cloud and containers, so traditional firewall-based micro-segmentation won’t work, explained Peter Smith, CEO and co-founder of Edgewise Networks.

In all three cases, Edgewise first creates a unique, immutable cryptographic identity for each workload, host, and device on the network. These unique application identities are based on immutable properties that an attacker cannot change, along with cryptographic signatures of the application. An example of an unchanging property would be the SHA 256 hash of a binary. If a single bit of that binary changes, that hash is going to result in a different value and you’ll get a different identity, Smith explained.

“When entities try to communicate, Edgewise symmetrically verifies the identity of anything trying to communicate and that this type of communication is allowed,” he explained. “The beauty of this method is that applications can be moved to the cloud or a container and policies remain in effect. With traditional, address-based methods, you’d need to manually update policies each time an address changed, which could take hours or days.”

The micro-segmentation process is also very fast. According to Smith, the platform eliminates unnecessary communication paths to shrink the attack surface by more than 90%, microsegments applications and hosts, and automatically creates a compressed set of policies that allow organizations to accomplish zero trust security.

Machine learning is an important part of the solution. The platform uses uses machine learning to visualize and analyze all application communications on the network, generating a complete map of all software, hosts, and devices on the network, as well as all the possible communication pathways between them. Smith says that this process can take up to eight months to do manually, and, even once it’s completed, it’s likely the network has changed. Edgewise’s machine learning capability keeps the network visualization constantly updated.

Once the visualization is complete, machine learning can automatically eliminate unnecessary pathways to reduce the attack surface. It also can microsegment the network by building and enforcing the minimum number of policies to secure digital assets in a matter of seconds.

The result is something Smith said generates “provable security outcomes”.

“Edgewise can show the exact percentage of risk reduction on the attack surface, and which applications are protected,” he said. “The policies built by ML can be reviewed by the security team, so they know precisely what kind of communications are allowed between which assets. These are provable security outcomes that can be quantified in terms of risk. Auditors, boards of directors, and executive teams want to understand security’s impact on the business, and Edgewise does that—automatically.”

While there are competing solutions, most of them depend on the protection inherent in a highly policed, highly capitalized enterprise perimeter DMZ. “And while the firewall-based LAN concept has served the community well for over two decades, it's pretty much on its last legs today,” Amoroso said.