What is Campus Zero Trust Security?
Campus zero trust refers to applying the "never trust, always verify" principle within a primary or branch network environment, where strict authentication, continuous verification, and isolation of users and devices are required. This is to prevent internal and external threats, essentially treating every access attempt as potentially malicious, regardless of its origin on the network.
While the term zero trust is not new, the use of campus zero trust is intended to define that its focus is on the primary and branch LAN. A campus or primary LAN can be a corporate, education, or large public venue network. It does not encompass the data center network. Nor does it include some of the capabilities offered via Zero Trust Network Access (ZTNA), which often describes remote access security offered by vendors of Security Service Edge (SSE) solutions.
A Campus Zero Trust Deeper Dive
Campus zero trust is based on the principles of Least Privilege, Access Control, Microsegmentation, Multi-factor Authentication, Preventing Lateral Movement, and Continuous Monitoring and Re-Authentication.
The objective is to provide a very structured access and enforcement model for the campus and branch that ensures consistency for any user or device that is connecting to either a wired or wireless network.
The history behind Zero Trust
The term “Zero Trust” was coined by John Kindervag, an analyst at Forrester Research Inc. in 2010 when the model was first presented as a means to ensure enterprise-grade cybersecurity versus perimeter-based security. A few years later, smart phone and BYOD support led to zero trust’s growing adoption. In 2019, Gartner, a global research and advisory firm, listed zero trust security access as a core component of secure access service edge (SASE) solutions. Campus zero trust aims to highlight that security concerns and vulnerabilities differ from those provided by SASE vendors with SSE and ZTNA offerings.
Why Campus Zero Trust?
As Zero Trust principles were implemented in the past, NAC appliances, VLANs, ACLs, and complex rules were all the rage. Unfortunately, with the adoption of SSE, the legacy Zero Trust model used in campus and branch environments started to show its weaknesses. To make things worse, vendors then started to introduce dynamic segmentation and EVPN/VXLAN options to shore up the gaps, introducing more complexity and integration points.
IT organizations are now looking for a new zero trust model for their campus wired and wireless LAN that eliminates the need for VLANs, NAC appliances, and complicated underlay and overlay segmentation services. The goal is to take advantage of similar capabilities offered by SSE cloud-based solutions, such as cloud reachability, simplicity and scale, while providing a consistent connectivity experience for users and IoT devices.
Campus Zero Trust advantages
The model going forward for campus zero trust is to build features directly into the network architecture that removes legacy vulnerabilities and the need for as many add-on security services. Campus zero Trust delivered as-a-Service also coincides with today’s growing adoption of campus Network as-a-Service offerings and their flexibility. These changes provide for some of the following:
-
- No VLANs, manual software config, or open Ethernet ports
- Layer 3 segmentation and per-device isolation across every installation
- Per-device inspection of all traffic – North/South and East/West
- Consistent policy enforcement with on-prem firewalls, FWaaS, or SSE options
Comparing Campus Zero Trust to Traditional Zero Trust
Refers to the delivery of security services in a campus LAN environment.
Can refer to everything from LAN to ZTNA remote access offerings. Some vendors even offer Zero Trust Data Center solutions.
Security that ensures IoT devices, which have traditionally weak security, can be used in campus and branch environments with confidence. Each IoT device is placed in a segment of one and all traffic is inspected.
Security that places IoT devices onto VLANs that can be easily exploited. Vulnerabilities often target IoT devices. The use of methods that traverse laterally across a VLAN go unnoticed, and are often the cause of many public breaches.
Features are built into the network in order to minimize integration points and remove complexity (i.e., Layer 3 segmentation, per-device isolation, built-in RADIUS, continuous re-authorization of credentials, etc.)
The legacy nature of a network’s architecture and design require organizations to add-on appliances, software and licenses to move from Layer 2 segmentation and VLANs to something more secure.
Simple single sign-on (SSO) support eliminates large scale NAC requirement. Per-device isolation ensures all N/S and E/W traffic is inspected by default. Simple SSE integration ensures Campus Zero Trust consistency for environments choosing ZTNA for remote access.
Requires lengthy setup and NAC appliances for any large scale authentication and authorization. E/W traffic can go unnoticed due to the use of VLANs in most environments. SSE integration requires manual config.
The majority of Nile Trust Service features are built into the Nile Access Service by design.
Often requires organizations to accept bare bones security and piece together stronger security on their own or via an additional professional services or as-a-Service purchase.
Most network devices contain TPM chips. Manual config and console port access are cause for concern. LAN traffic encryption comes at a cost. Some networking vendors may not fully encrypt data stored in their cloud environments.
Most network devices contain TPM chips. Manual config and console port access are cause for concern. LAN traffic encryption comes at a cost. Some networking vendors may not fully encrypt data stored in their cloud environments.
Long-term Zero Trust predictions
Due to the hurdles associated with implementing zero trust for many organizations, the report titled “Predicts 2025: Scaling Zero-Trust Technology and Resilience” states that by 2028, 30% of organizations will abandon zero trust programs because of budget constraints, complexity, cultural resistance, and perceived vendor product value.
It is their belief and Nile’s that a focus on identifying core security principles that can be seamlessly integrated with an existing technology stack will facilitate the incorporation of zero-trust methodologies into the organizational culture, ensuring a more coherent and effective security strategy. Because of this, Nile includes campus zero trust capabilities throughout its technology stack, from the infrastructure and access layers to the policy layer.
Related Resources
CUSTOMER STORY
Maplewave Restores IT Productivity with NaaS
By moving its large server presence to Nile's Campus NaaS, Maplewave reclaimed hundreds of hours in IT productivity.
Read the Story
WEBINAR SERIES
Become a Nile Expert in Three Quick Webinars
Discover how Nile is revolutionizing enterprise networking through a comprehensive three-part webinar series designed to address the needs of both business and technical leadership.
Reserve Your Spot
