Roadmap to Zero Trust
Transitioning from a traditional network with minimal segmentation, authentication, or policy enforcement to a full Zero Trust environment requires deliberate planning, collaboration, and iterative implementation. This chapter provides a roadmap to help organizations move step-by-step toward achieving a secure Zero Trust model using HPE Aruba Networking solutions.
Table of contents
Start with the End in Mind: The NetConductor Vision
Creating a Zero Trust network starts with three core principles:
- Identify and authenticate every device on the network,
- Enforce business intent policy,
- Continuously monitor traffic on the network, reacting in real time.
HPE Aruba Networking NetConductor provides the tools to onboard diverse devices, enforce consistent policies, and dynamically adjust access levels based on user and device activity.
First, devices must be onboarded and authenticated to the network. HPE Aruba Networking NAC services simplify the onboarding process for Guest, IoT, BYOD, and corporate devices. This ensure that every device on the network is identified, authenticated, and categorized according to its role and purpose.
Next, policy enforcement ensures consistent and secure access to network resources. Centralized or distributed network fabrics apply access policies across the network, while SD-WAN capabilities extend these controls to geographically dispersed locations. This approach guarantees uniform security standards regardless of where devices connect.
Finally, continuous verification enhances security by monitoring user and device behavior in real time. Access levels are modified dynamically based on activity, ensuring that the network enforcement adapts to evolving conditions and potential threats. This ongoing evaluation helps maintain a secure environment without compromising operational efficiency.
The ultimate goal is to replace the traditional “allow-all” model with a dynamic Zero Trust framework. In this model, every user and device interaction is verified, and access is granted only to authorized resources. By following the steps outlined below, organizations can achieve a fully realized Zero Trust environment, underpinned by granular control, compliance, and continuous monitoring.
Step 1: Develop a Policy Matrix
The first step in building a Zero Trust network is developing a comprehensive policy matrix. This document maps roles, devices, and access levels across the organization, acting as the foundation for network security. This document is built by engaging key stakeholders—including IT, operations, and business leaders—to align network policies with organizational goals. This collaboration ensures that the policy matrix reflects both security requirements and business priorities.
After a policy based on business policies is created, it must be enacted into the network. The numerous ways to accomplish this are outlined in this chapter.
Understand the Network’s Composition
Before defining policies, its critical to understand which devices connect to the network, how they connect, their traffic flows, and the kind of traffic they generate. A full inventory of endpoints helps inform the development of the policy matrix.
Data can be gathered using tools such as HPE Aruba Networking Central Client Insights, MDM solutions, and endpoint management systems, and by collaborating with endpoint management teams.
The example table below documents the devices connecting to the network.
| Endpoints | Connectivity Type | Authentication Type | Traffic Type | Traffic Pattern | Notes |
|---|---|---|---|---|---|
| Android Tablets | wireless | Dot1x | User traffic | N-S, E-W | enterprise communication |
| Zebra Scanner | wireless | MAC | User traffic | N-S, E-W | PoS scanners |
| Windows | wired, wireless | Dot1x | User traffic | N-S, E-W | PoS system |
| Apple tablets | wireless | Dot1x | User traffic | N-S, E-W | enterprise communication |
| Camera (PoE) | wired | MAC | Video | N-S | physical security |
| Badge Reader (PoE) | wired | MAC | Data | N-S | physical-access security |
| Printer | wired | no-auth | Data | E-W | Printers for PoS systems |
| Media player | wired, wireless | no-auth | Video | N-S | multicast stream |
This image provides an example of client discovery using Client Insights within HPE Aruba Networking Central.
Start Small
When creating the initial policy matrix, it is essential to start small and expand as the network administrators grow more comfortable with Zero Trust policies. This approach minimizes disruption to business operations and allows for iterative refinement of policies. Begin by defining a limited set of high-level roles, such as “Guest,” “IoT,” and “Employee”. These roles should capture the broadest categories of access needs initially without delving into excessive granularity.
For each role, define basic access permissions and denials. For example:
- Guest Role: Allow access to internet services (HTTP/HTTPS) but block all internal network resources.
- IOT Role: Permit communication with cloud control services while restricting access to internal applications and peer-to-peer device communication.
- Employee Role: Provide access to corporate resources based on departmental needs while blocking access to sensitive administrative systems.
Gather Data for Policy Design
To build these roles effectively, use existing network monitoring tools to analyze traffic patterns. Tools such as NetFlow or AppRF provide insights into typical device behavior, helping to identify which resources are accessed most frequently by different groups. Additionally, HPE Aruba Networking Central Client Insights can provide valuable information by identifying what is running on the network and by analyzing communication patterns. This visibility is critical for refining role definitions and understanding traffic flows. For example, these tools can detect specific application dependencies and peer-to-peer communications, aiding in the development of precise access policies. Use this data to validate initial role definitions and ensure that they align with real-world usage.
Iterative Expansion
After successfully implementing basic roles and policies, gradually expand the policy matrix to include additional roles and finer-grained access controls. For example, split the Employee role into sub-roles such as “Finance”, “Engineering”, and “Sales”, each with tailored permissions. Introduce conditional policies that adjust roles based on device posture or network location. For example, restrict access to financial applications unless the device is connected via a secure, corporate-managed endpoint.
By starting small and expanding iteratively, organizations can develop a robust policy framework without overwhelming IT teams or disrupting business operations. This incremental approach ensures that policies remain manageable and effective as the network evolves.
The image below shows an example of grouping of devices into “roles” and an associated policy created using Central Policy Manager.
Step 2: Address Networks Without Network Access Control
Organizations without existing NAC capabilities can still make significant strides toward Zero Trust with other methods of role assignment. Shift from IP-based controls to role-based policies to establish a more adaptive security model while gaining familiarity with policy enforcement based on user identity instead of IP subnets. Examples of how to get started with role based policies, without a NAC solution, are provided below.
Role Derivation on AOS-10 Gateways
Enable role derivation to dynamically assign roles during the connection process when a NAC server is not used. Configure the derivation rules to evaluate attributes such as the SSID, MAC address, or device OS. For example, corporate devices connecting to the “Corp-WiFi” SSID could be assigned an “Employee” role, while IoT devices connecting to the “Corp-WiFi” SSID could be assigned the IoT role by matching a vendor OUI.
VLAN Role Mapping on SD-WAN Gateways
Both EdgeConnect SD-WAN and EdgeConnect SD-Branch gateways provide the capability to map a physical interface or VLAN interface to a role. This feature is particularly useful as a fallback or default-role mechanism, assigning a role to traffic when a NAC solution is not yet in place or before individual user roles are dynamically assigned.
Using VLAN-to-role mapping is an excellent starting point for organizations beginning their journey into role-based policies. By mapping existing VLANs to roles, you can implement role-based segmentation without requiring the immediate deployment of a NAC solution. For example, a VLAN designated for guest traffic can be assigned a “Guest” role, while an IoT VLAN can be assigned an “IoT” role.
This approach offers a dual benefit: it enables role-based control of network traffic and provides a low-risk environment to familiarize IT teams with managing roles. As your organization gains experience with this framework, it can be better prepared to adopt more advanced NAC capabilities and dynamically assign roles to individual users and devices.
By starting with VLAN-to-role mapping, organizations can establish a strong foundation for Zero Trust principles while minimizing complexity and disruption.
Step 3: Adopt a NAC Solution
Introducing a NAC solution is a pivotal step in implementing Zero Trust. HPE Aruba Networking NAC solutions provide robust capabilities for device authentication and role assignment. Most NAC solutions, even free ones, can integrate with Aruba’s Vendor-Specific Attribute (VSA) “Role,” enabling seamless role-based controls across the network.
Profiling IoT Devices with Client Insights
One of the most significant security challenges is managing IoT devices, which often lack traditional authentication capabilities. HPE Aruba Networking Central Client Insights, integrated with HPE Aruba Networking NAC solutions, enables deep device profiling based on observed behavior and attributes. For example, a surveillance camera can be identified by its MAC address, traffic patterns, and manufacturer information. After profiling, assign an IoT-specific role that restricts access only to the required cloud control services, while blocking all internal resources.
Managing BYOD with ClearPass BYOD Certificates
BYOD devices present another layer of complexity due to their diverse ownership and configurations. Use HPE Aruba Networking ClearPass’s BYOD onboarding feature to issue unique device certificates during the enrollment process. These certificates ensure that only authorized personal devices can connect to the network. Define a BYOD role that limits access to internet resources and specific corporate applications, while blocking sensitive internal systems.
Guest Access with AUP Pages
For Guest devices, simplicity is key. Implement a captive portal with an Acceptable Use Policy (AUP) page to ensure compliance before granting access. Configure HPE Aruba Networking ClearPass to assign the Guest role upon successful authentication or AUP acceptance. This role should permit basic Internet access while denying all internal resource connections. Aruba’s flexible captive portal options support branding and customization to align with organizational needs.
Corporate Devices with 802.1X Authentication
Corporate-owned devices typically demand the highest level of trust and access. Use 802.1X authentication to verify users and devices. An enterprise PKI (Public Key Infrastructure) should be used to issue machine and user certificates. Assign these devices to an “Employee” role, with access tailored to departmental requirements. For additional security, incorporate endpoint posture checks with MDM (mobile device management) to validate compliance with corporate standards before granting full access.
Consider these common strategies to ensure comprehensive coverage and maintain consistent policy enforcement across diverse device types and user groups.
Step 4: Start Small with Enforcement
Zero Trust benefits become tangible when it comes to policy enforcement. Begin small with limited enforcement to minimize migration challenges while validating the effectiveness of new policies. Focus on restricting access to sensitive resources for low-trust roles. For example, establish preliminary policies to deny IoT devices from accessing internal file servers or to block guest devices from communicating with production networks.
Start with VLAN-Based Enforcement
The simplest way to begin is to enforce VLANs. Assign roles to specific VLANs and apply ACLs at the VLAN level to restrict traffic. For example, a Guest VLAN might only permit HTTP/HTTPS traffic to external destinations, while an IoT VLAN allows communication only with specific cloud endpoints. This approach provides immediate segmentation and can be implemented without major changes to network configuration or operation.
Expand to Role-Based Enforcement
Consider incorporating Aruba’s role-based policies for more granular control where roles are derived dynamically through a NAC, enabling enforcement based on real-time user and device attributes.
Centralized Fabrics
Centralized fabrics are straightforward and highly effective. These fabrics enable centralized role-based policy enforcement, allowing for scalable and consistent policy application. In certain cases, centralized fabrics can be layered onto an existing network without disruption. For example, organizations can enforce Zero Trust policies specifically for contractors accessing the network while leaving the rest of the infrastructure unchanged. To learn more about Centralized Fabrics, refer to the NetConductor Enforcement Models chapter of the Policy Design guide..
Distributed Fabrics
Distributed fabrics work well in environments with significant east-west traffic requirements where distributed policy enforcement at the edge is required. Unlike centralized fabrics, which route traffic through a core enforcement point, distributed fabrics enable policy enforcement closer to the edge, reducing latency and optimizing bandwidth usage. To learn more about Distributed Fabrics, refer to the policy enforcement page.
SD-WAN Gateways
EdgeConnect SD-WAN gateways can use roles to enhance and extend security and policy enforcement directly at the network edge. This integration provides a highly scalable, on-premise enforcement point that supports a broad range of advanced security capabilities, including zone-based firewall policies, intrusion prevention and detection systems (IPS/IDS), and application-aware policy enforcement.
Role-Based Zone Firewall Policies
Roles can be integrated seamlessly into EdgeConnect’s zone-based firewall policies, offering fine-grained control over traffic flow between zones. For example, using “Guest,” “IoT,” and “Corporate” roles can determine the access rules applied between zones, such as restricting guest traffic to Internet-only zones or limiting IoT devices to communicate only with designated cloud services. Incorporate roles into zone policies to ensure that access control decisions are both context-aware and consistently enforced across the network.
Role Integration with Business Intent Overlays
Business Intent Overlays (BIOs) are a key feature of EdgeConnect SD-WAN gateways, providing the ability to define traffic handling and prioritization based on business requirements. Roles enhance BIO policies dynamically by influencing how traffic is routed and prioritized. For example, traffic from devices assigned an “Executive” role might be routed over the highest-performing, lowest-latency path, while “Guest” role traffic could be relegated to a secondary path with lower priority. This ensures that critical applications and users receive the performance they need without compromising network efficiency.
On-Premises Security Enhancement with Roles
EdgeConnect SD-WAN gateways offer powerful on-premise security options, and roles further enhance these capabilities.
- IPS/IDS Integration: Roles can influence how IPS/IDS policies are applied. For example, traffic from devices in the “Corporate” role might be subject to stricter intrusion detection policies than “Guest” traffic, reflecting the higher security requirements for sensitive corporate data.
- Application-Aware Policies: EdgeConnect’s application visibility allows organizations to create granular, role-specific policies. For example, users in the “Sales” role can have prioritized access to CRM applications, while “IoT” role devices can be restricted to communicating only with approved application endpoints.
- Web Filtering and URL Categorization: Role-based policies can be extended to web filtering, where “Guest” roles might be restricted from accessing certain categories of websites, while “Employee” roles can have more lenient access based on business needs.
By combining roles with EdgeConnect’s advanced security features, organizations can implement a Zero Trust approach that is not only robust but also highly adaptable. Roles add a layer of contextual intelligence to firewall rules, IPS/IDS, application prioritization, and more, ensuring that every enforcement decision aligns with the organization’s security and business objectives. This powerful integration allows EdgeConnect SD-WAN gateways to act as a critical enabler of Zero Trust security, all while optimizing traffic and enhancing user experiences.
Step 5: Expand as the Network Modernizes
As network infrastructure evolves, expand Zero Trust implementation to encompass more sophisticated controls. Adoption of Roles, a cornerstone of Aruba’s Zero Trust capabilities, enables real-time policy assignments based on evolving contextual factors. Replace static VLAN configurations with Roles to streamline operations and reduce complexity.
Extend Zero Trust across a WAN environment by integrating Aruba’s SD-WAN solutions into a Zero Trust architecture. This ensures consistent policy enforcement across a distributed enterprise.
Enhance visibility with Aruba Central, which provides detailed dashboards and analytics for tracking device behavior, user activity, and application performance. Use these insights proactively to address anomalies and refine the policy matrix. For example, if a previously trusted device begins accessing resources outside its assigned role, trigger an automatic quarantine response.
Deploy advanced threat detection capabilities, such as Aruba’s Intrusion Detection and Prevention (IDP) systems, to complement the Zero Trust strategy. These systems can identify and mitigate threats that bypass traditional defenses, ensuring comprehensive protection.
Plan your policy design strategy using the steps above to implement an efficient, effective comprehensive strategy with minimal disruption to existing network operation. Address policy design in phases, starting with restricting access at the highest level and layering policy based on usage levels and risk zones. Often, careful planning based on these steps can eliminate redundant policies and enforcement practices and reduce implementation and maintenance time when upgrading existing infrastructure.
Finally, adopt a continuous improvement mindset. Schedule periodic reviews of Zero Trust implementations, incorporating lessons learned from incident reports, audits, and industry trends. Regularly update policies, roles, and enforcement mechanisms to address emerging threats and adapt to organizational changes.