NSAs Zero-Trust Guidelines Focus on Segmentation

Zero-trust architectures are essential protective measures for the modern enterprise. The latest NSA guidance provides detailed recommendations on how to implement the networking angle of the concept.

The US National Security Agency (NSA) delivered its guidelines for
zero-trust network security
this week, offering a more concrete roadmap towards zero-trust adoption. Its an important effort to try to bridge the gap between desire for and implementation of the concept.
As businesses shift more workloads to the cloud, zero trust computing strategies have moved from a buzzy hype phase to enjoying the status of an essential security approach. But even so, the notion of
untrusted until verified
is still slow to catch on in the real world (although in some areas, such as in the United Arab Emirates,

zero trust adoption is accelerating
).
John Kindervag, who was
the first to define the zero trust term
back in 2010 when he was an analyst at Forrester Research, welcomed the NSAs move, noting that very few organizations have understood the importance of network security controls in building zero-trust environments, and this document goes a long way toward helping organizations understand their value.
Further, it will greatly help various organizations worldwide more easily understand the value of network security controls and make zero-trust environments easier to build and operationalize, says Kindervag, who last year joined Illumio as its chief evangelist, where he continues to promote the zero-trust concept.
The NSA document contains loads of recommendations on zero trust best practices, including, foundationally, segmenting network traffic to block adversaries from moving around a network and gaining access to critical systems.
The concept isnt new: IT departments have been segmenting their corporate network infrastructure for decades, and Kindervag has been advocating for network segmentation since his original Forrester report, where he said that all future networks need to be segmented by default.
However, as Carlos Rivera and Heath Mullins from Forrester Research said in their own
report from last fall
, no single solution can provide all capabilities needed for an effective zero trust architecture. Gone are the days when enterprises lived and operated within the confines of a traditional perimeter-based network defense.
In the cloud era,
zero-trust is exponentially more complex
to achieve than it once was. Perhaps thats the reason that less than a third of survey respondents in Akamais
2023 report on The State of Segmentation
from last fall have segmented across more than two critical business areas in the past year.
To ease some of the pain, the NSA walks through how network segmentation controls can be accomplished through a series of steps, including mapping and understanding data flows, and implementing
software-defined networking (SDN)
. Each step will take considerable time and effort to understand what parts of a business network are at risk and how to best protect them.
The important thing to keep in mind with zero trust is that its a journey and something that must be implemented using a methodical approach, cautions Garrett Weber, the field CTO of the Enterprise Security Group at Akamai.
Weber also notes that there has been a shift in segmentation strategies. Up until recently, deploying segmentation was too difficult to do with hardware alone, he says. Now with the shift to software-based segmentation were seeing organizations be able to achieve their segmentation goals much easier and more efficiently.
The NSA document also differentiates between macro- and micronetwork segmentation. The former controls traffic moving between departments or workgroups, so an IT worker doesnt have access to human resources servers and data, for example.
Microsegmentation separates traffic further, so that not all employees have the same data access rights unless explicitly required. This involves isolating users, applications, or workflows into individual network segments to further reduce the attack surface and limit the impact should a breach occur, according to the Akamai report.
Security managers should take steps to use microsegmentation to focus on their applications, to ensure that attackers cant bypass controls by
subverting single sign on access
, using side loaded accounts, or finding ways to expose data to external users, says Brian Soby, the CTO and co-founder at AppOmni.
This helps define security controls by what is needed for each particular workflow, as Akamais report lays out. Segmentation is good, but micro-segmentation is better, the authors stated.
It may be a complex endeavor, but juice is worth the squeeze: In Akamais report, researchers found that perseverance pays off. Segmentation proved to have a transformative effect on defense for those who had segmented most of their critical assets, enabling them to mitigate and contain ransomware 11 hours faster than those with only one asset segmented.
Kindervag is still advocating for zero trust. Part of its attraction and longevity is because it is a simple concept to grasp: people and endpoints dont get access to services, apps, data, clouds, or files unless they prove they are authorized to do so — and even then, access is only granted for the length of time its needed.
Trust is a human emotion, he said. People didnt understand it when I first proposed it, but it is all about managing danger, rather than risk and plugging holes in your security.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
NSAs Zero-Trust Guidelines Focus on Segmentation