Issue link: https://insights.oneneck.com/i/1458399
CHAPTER 3 Delivering Consistent Security Using Zero Trust 39 These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. include the ability to block files by their actual type (not based on just their extension), and the ability to control the transfer of sensitive data patterns like credit card numbers. Granular policies enable organizations to bypass decryption of certain sensitive data, such as data to and from a known financial institution, if required by security and/or privacy compliance mandates. This complements the granularity of application identification, which offers the ability to control file transfer within an individual application. With content identification, IT departments gain the ability to stop threats, reduce inappropriate use of the Internet, and help prevent data leaks — all without having to invest in a pile of addi- tional threat prevention products that cause appliance sprawl, don't work well because of their lack of integration, and lack comprehensive visibility. Minimizing Your Attack Surface with Segmentation A flat unsegmented network is difficult to protect because if an attacker gains access to the network, the attacker can easily move laterally and compromise critical systems. This is particularly true in a hybrid cloud environment where on-premises data cen- ters are connected to private and public clouds. Old segmentation methods such as virtual local area networks (VLANs) don't scale well, are difficult to automate, and don't take into account users, content, or applications, so they provide little control over or vis- ibility into traffic. Creating a segmentation strategy that provides granular access control to hybrid cloud resources will give you better control over traffic. The more granular your segmentation strategy, the more control over traffic you gain because traffic must traverse a firewall as it flows between segments, or trust zones. Many organizations use the application itself as the trust boundary, essentially putting each application in its own trust zone, pro- tected by a next-generation firewall to inspect all traffic that tra- verses the boundary. For the most critical applications, you may also want to leverage a micro-segmentation tool to restrict traffic moving between workloads within a trust zone, to further reduce