Peer to Peer Doesn’t Work with Zero Trust Networks —Here’s What Does Work.

Peer to Peer (P2P) eCDN technology has many benefits: it is convenient, easy to deploy, and doesn’t require additional hardware.  Ramp’s P2P eCDN doesn’t require desktop agents on client machines and even works with iOS devices.

Unfortunately, the P2P technology model breaks the core principles of zero-trust security. Here’s why and the alternatives that actually align with a zero trust security model:

Zero Trust Core Principles

In a zero trust approach, the network is considered compromised and, therefore, hostile. Core principles of a zero-trust architecture include:

  • Micro-segmentation – Micro-segmentation is a network security technique that enables security architects to logically divide the data center into distinct security segments down to the individual workload level and then define security controls and deliver services for each unique segment. By tying fine-grained security policies to individual workloads, micro-segmentation software limits an attacker’s ability to move laterally through a network, even after infiltrating the perimeter defenses.
  • Least privilege – The principle of least privilege addresses access control and states that an individual should have only the minimum access privileges necessary to perform a specific job or task and nothing more.  One of the benefits of practicing least privilege is that it reduces an organization’s attack surface.  Attack surface refers to all entry points through which an attacker could potentially gain unauthorized access to a network or system to extract or enter data or carry out other malicious activities. A broad attack surface is challenging for organizations to defend.
  • Preventing lateral movement – In network security, “lateral movement” is when an attacker moves within a network after gaining access to that network. Lateral movement can be difficult to detect even if you can find the attacker’s entry point. The attacker may have already gone on to compromise other parts of the network.  Zero trust is designed to contain attackers so that they cannot move laterally. Access within a zero trust architecture is segmented and must be re-established periodically, an attacker cannot move across to other microsegments within the network. Once the attacker’s presence is detected, the compromised device or user account can be quarantined and cut off from further access. 

Why Peer to Peer Doesn’t Work with Zero Trust Security

While zero-trust architectures enforce micro-segmentation and prevent lateral movement within the network, P2P is fundamentally the opposite.

P2P works by propagating data laterally across the network.  P2P also shares data with little or no verification, which breaks the “least privilege” principle.  Some variations of P2P eCDN even allow the distribution of software packages through peering.  This means that if a malicious agent penetrates the network, P2P could act as a vehicle to expand the attack surface. Ultimately, infecting devices quicker across the organization. 

Simply, P2P

P2P also typically uses public cloud infrastructure, which increases the surface area for attack.  Combined with the need for lateral movement across the network and lack of verification, P2P presents a serious challenge for organizations that want to adopt a zero trust architecture. 

Which eCDN Technologies Work with Zero Trust Networks?

For organizations moving to a zero-trust security approach, multicast and caching technologies are simply better choices. They naturally comply with the principles of zero trust architecture. Multicast and caching solutions deploy inside the firewall, so there is no additional exposure to the internet.

Multicast is the most efficient eCDN technology. It delivers up to 99.9% bandwidth reduction.  Learn more about multicast eCDN here.

Caching is the most versatile eCDN technology. Caching can be used as a standalone technology for live streaming and video on demand and delivers over 90% bandwidth savings.  It can be used in conjunction with multicast and P2P for greater savings and resilience.  Caching can be implemented on-premises or in the cloud.  Learn more about caching here.

On-premises eCDN deployments are considered the most secure because they reside entirely behind the firewall.  Multicast and caching eCDN technologies can be deployed completely on-premises.

Ramp Universal eCDN for Every Network Architecture

Networks are like snowflakes— no two are alike.  That’s why Ramp’s Universal eCDN offers a choice of all three eCDN technologies in a single solution.  Organizations can use the most appropriate eCDN to fit their needs and even mix and match technologies for different parts of the network.  For example, an organization can use multicast in the main campus for the highest savings, while a newly acquired division can be quickly set up with P2P.  Caching can be leveraged to efficiently deliver video on demand. 

For organizations adopting a zero trust security model, only Ramp eCDN fits within the governance framework and operational security of zero-trust implementations for users, devices, services, and data. Learn more about how Ramp can help, contact us here.