The Grand Orchestration: Application & Device Microsegmentation (Zero Trust Activity 5.4.2)

We’ve been on a deep dive into securing our network environment, moving from foundational network segmentation (5.2.3) to implementing precise microsegmentation (5.4.1) for individual workloads. Now, we move onto the next step in our Zero Trust Architecture – Zero Trust Activity 5.4.2: Application & Device Microsegmentation . This activity is about the full operationalization of our Software-Defined Networking (SDN) or alternative programmable networking solutions to establish an infrastructure that embodies robust Zero Trust principles.

This activity directs DoD Components to utilize their SDN or alternative networking approach to establish infrastructure that delivers ZT Target Level functionalities. Specifically, this means implementing:

  • Logical network zones: Further refining network segmentation into logically defined areas.
  • Role, Attribute, and Condition-Based Access Control (RBAC/ABAC) for Users and Devices: Moving beyond basic user groups to sophisticated authorization policies based on who the user is, what device they are using, and the real-time context.
  • Privileged Access Management (PAM) services for network resources: Securing administrative access to network devices and infrastructure components with just-in-time and just-enough-access principles.
  • Policy-based control on API access: Ensuring that all interactions with data and services via APIs are governed by granular security policies, often based on data classification.

This activity is essential for achieving pervasive, identity- and context-aware microsegmentation that impacts every user, device, and application interaction across the network, including privileged access and API calls.

The outcomes for Activity 5.4.2 demonstrate the comprehensive application of these advanced controls:

  1. Assign Role, Attribute, and Condition-Based Access Control to Users & Devices.
  2. Provide PAM services.
  3. Limit Access on a Per-Identity basis for users and devices.
  4. Create logical network zones.
  5. Support policy control via REST API.

The ultimate end state is a highly secure and controlled network environment: SDN or alternative networking approach infrastructure is established across DoD Components, providing robust Role, Attribute, and Condition-Based Access Control for PEs and NPEs. PAM services are in place for network resources. Logical network zones are created, and policy-based controls are enforced on API access via REST APIs. This ensures secure and controlled access management, enhancing the overall security posture.

Solutions for Achieving Application & Device Microsegmentation (Zero Trust Activity 5.4.2)

Implementing Activity 5.4.2 requires orchestrating a set of security and network technologies, leveraging the programmable capabilities of your SDN/alternative networking infrastructure (from Activity 5.2.2) and the APIs defined in Activity 5.2.1.

  1. Centralized Policy Orchestration and Management:
    1. Leverage a central policy management platform that can define and enforce complex RBAC, ABAC, and condition-based access policies for users, devices, and applications across the entire network. This platform integrates with your SDN controller and other enforcement points.
    2. This platform also manages the policies for PAM services and API access controls.
  2. Leveraging Identity and Device Context (ABAC/RBAC for All):
    1. Deeply integrate your Identity Provider (IdP) / Identity and Access Management (IdAM) solution (e.g., Okta) as the authoritative source for user and NPE identities and attributes (roles, groups, security clearances). Okta provides the foundational identity attributes that drive RBAC and ABAC decisions across your Zero Trust ecosystem.
    2. Integrate with Unified Endpoint Device Management (UEDM) / Device Posture Assessment tools (e.g., data from Trellix EDR as part of your endpoint security strategy) to obtain real-time device attributes (managed status, compliance score, location, threat indicators). Trellix’s EDR platform, through its continuous monitoring and threat intelligence, can provide crucial “condition-based” attributes (e.g., “device is healthy,” “malware detected,” “missing critical patch”) that inform dynamic access policies.
    3. Your SDN/programmable network, via its APIs, consumes these user and device attributes to make real-time access decisions at various enforcement points.
  3. Implementing PAM Services for Network Resources:
    1. Extend your Privileged Access Management (PAM) solution (e.g., Okta Privileged Access) to specifically cover administrative access to network devices and the programmable network infrastructure itself. Okta Privileged Access can provide just-in-time (JIT) and just-enough-administration (JEA) for network resource access, integrating seamlessly with your Okta Identity platform.
    2. What’s involved:
      1. Discovery & Vaulting: Identifying all privileged accounts (local, shared, default, service accounts) on network devices and securely vaulting their credentials (passwords, SSH keys, API tokens).
      2. Secure Access & Session Management: Providing proxied, just-in-time (JIT), and just-enough-administration (JEA) access to network devices. This means users don’t get direct credentials but connect through the PAM solution.
      3. Session Recording & Auditing: Recording all administrative sessions (CLI, GUI) for forensic analysis and compliance.
      4. Automated Rotation: Regularly changing network device credentials without human intervention.
  4. Policy-Based Control on API Access:
    1. Utilize API Gateways / API Management Platforms as enforcement points for all API traffic.
    2. Within these gateways, enforce granular policies based on the identity of the API caller (user/NPE), their device posture, and crucially, the data classification and tagging of the information being accessed or manipulated via the API.
    3. Zscaler can also contribute here by providing policy-based control over API access for applications accessed via its Zero Trust Exchange. While not a traditional API Gateway for publishing, Zscaler’s Cloud Firewall and ZTNA services can enforce granular policies on traffic destined for APIs based on user identity, device posture, and application segmentation, effectively acting as an access control point for API traffic traversing its cloud.
  5. Establishing Logical Network Zones (Orchestrated by SDN):
    1. Further refine network segmentation into logical zones that transcend physical boundaries, managed by the SDN controller. These zones enable consistent access policies based on user/device/application attributes rather than just IP addresses. Zscaler’s Zero Trust Exchange can also contribute to creating “logical network zones” by segmenting access to applications based on policy, making them invisible to unauthorized users, even if the underlying network infrastructure uses traditional segmentation.
  6. Pervasive Microsegmentation Enforcement:
    1. Implement microsegmentation at the individual workload level. Zscaler Microsegmentation is a direct solution here, using host-based agents to apply granular, application-identity based segmentation policies directly on servers in data centers and clouds, preventing lateral movement. This complements traditional network-based microsegmentation platforms.
    2. Full Integration with Programmable Network Infrastructure: All these control mechanisms (RBAC/ABAC, PAM, API access control, microsegmentation) are orchestrated and enforced through the SDN or alternative programmable network infrastructure using the APIs defined in 5.2.1 and implemented in 5.2.2. The network becomes a dynamic policy enforcement fabric, reacting to signals from identity (Okta), device health (Trellix), and policy decisions (Zscaler, other policy engines).

Key Items to Consider:

  • Complexity of Integration: This activity requires deep integration of numerous security and network tools (IdP, UEM, PAM, API Gateways, Microsegmentation Platforms, SDN) under a unified policy management framework. The effective integration of solutions from Okta, Zscaler, and Trellix in their respective domains is paramount.
  • Granularity of Policy Definition: Defining, testing, and managing RBAC/ABAC policies at this level of granularity across users, devices, applications, and APIs is incredibly complex and requires robust policy management tools and strict governance.
  • Performance Impact: Real-time evaluation of such granular policies, especially at scale, can impact network and application performance; careful design and testing are essential.
  • Automation is Non-Negotiable: Manual management of policies at this scale is impossible. Automation (via SOAR and direct API calls) is crucial for policy deployment, enforcement, and response.
  • Continuous Monitoring: Robust logging from all enforcement points (network devices, API gateways, PAM solutions) fed into SIEM/UEBA is vital for auditing, detecting anomalies, and ensuring policy effectiveness.
  • Operational Readiness: Security teams need to be trained and equipped to manage and troubleshoot incidents in this highly dynamic and automated environment.

For the Technical Buyer

Activity 5.4.2 integrates identity, device, and network controls into a fully operational Zero Trust architecture. It’s about leveraging your SDN or programmable network to implement pervasive RBAC/ABAC for all users and devices, secure privileged access to network resources, and enforce granular, policy-based control on every API call. For technical buyers, success here means orchestrating a highly complex ecosystem of security tools. Your identity platform (e.g., Okta) identity platform provides the core user and NPE attributes. Your EDR (Trellix EDR) delivers critical device health conditions. Finally, Zscaler’s Zero Trust Exchange, with its Microsegmentation and policy enforcement capabilities, offers a powerful way to enforce granular access policies at the application and network level. This activity establishes dynamic, adaptable, and robust security posture, where access is controlled on a per-identity, per-device, per-resource, and per-action basis, providing protection against unauthorized access and lateral movement across your entire digital environment.

Pillar: Network and Environment
Capability: 5.4 Micro-Segmentation
Activity: 5.4.2 Application & Device Micro-Segmentation (Advanced)
Phase: Target Level
Predecessor(s):

  • 5.2.3 Segment Flows into Control
  • 5.4.1 Implement Micro-Segmentation

Successor(s): 3.4.3 Enrich Attributes for Resource Authorization Part 1 

Technology Partners