Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
In a Zero Trust architecture, the network is no longer treated as a trusted boundary. Instead, it becomes a transport layer where every connection must be explicitly verified, authorized, and continuously monitored. The Network pillar focuses on securing access to applications and resources by enforcing identity- and context-aware controls, segmenting connectivity, and minimizing the ability for attackers to move laterally.
Network pillar guidance focuses on moving access control away from the perimeter and closer to applications and resources. It emphasizes verifying every connection using identity and device signals, enforcing least-privilege access through segmentation, and assuming breach by limiting exposure and restricting lateral movement.
Workshop implementation
The Network workshop covers the implementation areas summarized in the table.
| Area | Details |
|---|---|
| Implement Zero Trust network access (ZTNA) for applications | Replace implicit trust in the corporate network with identity and context-based access decisions. Connect users directly to applications using identity-aware access controls, and continuously evaluate sessions based on identity, device posture, risk signals, and location. |
| Enable secure private access to internal applications | Provide access to internal and private applications without exposing them to the public internet. Use application proxies and identity-aware gateways to eliminate broad network-level access and reduce attack surface. |
| Secure outbound internet access | Use a secure web gateway (SWG) or similar cloud-delivered controls to inspect, filter, and control outbound traffic. Apply policies based on user identity, device state, and risk to prevent access to malicious or inappropriate destinations. |
| Protect internet-facing applications and endpoints | Reduce exposure of public-facing applications and services by applying layered protections against volumetric, protocol, and application-layer attacks. Use traffic filtering, request inspection, rate controls, and automated mitigation to improve resilience and availability. |
| Segment networks and application access | Implement segmentation and micro-segmentation across on-premises and cloud environments to limit connectivity between users, devices, and applications. Restrict lateral movement by granting access only to explicitly authorized resources. |
| Encrypt and protect all network traffic | Ensure that all traffic—internal, external, and east-west—is encrypted in transit. Use secure protocols and identity-aware gateways to maintain confidentiality and integrity of communications. |
| Move enforcement closer to applications and data | Shift enforcement from traditional perimeter controls to application-level and identity-aware controls. Use reverse proxies, application gateways, and session-based controls to enforce policy at the point of access. |
| Improve network visibility and continuous monitoring | Gain visibility into network traffic, application access patterns, and user activity. Continuously monitor sessions and analyze logs from network controls, gateways, and segmentation boundaries to detect anomalies and support investigation. |
| Integrate network signals into security operations (SecOps) | Feed network telemetry, access events, and traffic analytics into centralized monitoring and response systems. Correlate network activity with identity, device, data, and infrastructure signals to detect threats, investigate incidents, and respond to suspicious behavior. |
Assess networking posture
The Zero Trust Assessment tool can assess your networking configuration against a range of security best practices. Learn more.
Next steps
Run an assessment, and begin the Networking workshop.