Digital business creates unprecedented cyber risks, and many organisations struggle to balance cybersecurity with the need to run the business.
Assembly helps IT teams develop processes that enable risk-based decisions while protecting against security threats and prevent data breaches & other cybersecurity events.
As cybersecurity and regulatory compliance become the top two biggest concerns of corporate boards, many are adding cybersecurity experts specifically to scrutinise security and risk issues. Adding a cybersecurity expert is just one of the eight security and risk trends for 2021, many of which are driven by recent events such as high profile security breaches and the COVID-19 pandemic.
In the past year, the typical enterprise has been turned inside out. As the new normal takes shape, all organisations will need an always-connected defensive posture, and clarity on what business risks remote users elevate to remain secure.
Security and risk management leaders need to move beyond the zero trust hype and implement two key projects to reduce risk.
Historically, security models depended on a “castle and moat” type of architecture, with the enterprise network and data centre on the inside, and firewalls guarding the perimeter. Anything located on the outside was considered untrusted. Anything on the inside was considered trusted.
However, trust based on physical location breaks down when users are mobile and when external partners require access. It creates excessive implicit trust — trust that attackers abuse.
Enter zero trust
The term ‘zero trust’ is widely abused in security product marketing. However, it is useful as a shorthand way of describing an approach where implicit trust is removed from all computing infrastructure. Instead, trust levels are explicitly and continuously calculated and adapted to allow just-in-time, just-enough access to enterprise resources.
“Zero trust is a way of thinking, not a specific technology or architecture. It’s really about zero implicit trust, as that’s what we want to get rid of.”
A complete zero trust security posture may never be fully achieved, but specific initiatives can be undertaken today.
Assembly recommends that organisations start with two network-related security projects.
Why start with the network?
TCP/IP network connectivity was built in a time when trust could be assumed. It was built to connect people and organisations, not to authenticate. Network addresses are weak identifiers at best. Zero trust networking initiatives use identity as the foundation for new perimeters.
Project 1: Zero trust network access (ZTNA)
In the past, when users left the ‘trusted’ enterprise network, VPNs were used to extend the enterprise network to them. If attackers could steal a user’s credentials, they could easily gain access to the enterprise network.
Zero trust network access abstracts and centralises access mechanisms so that security engineers and staff can be responsible for them. It grants appropriate access based on the identity of the humans and their devices, plus other context such as time and date, geolocation, historical usage patterns and device posture. The result is a more secure and resilient environment, with improved flexibility and better monitoring.
The shift to a largely remote workforce has created intense interest in ZTNA, with media headlines proclaiming ‘The VPN is dead.’
Although VPN replacement is a common driver for its adoption, ZTNA typically augments, rather than replaces, a VPN. By allowing users access to what they need, and by shifting to cloud-based ZTNA offerings, you can avoid overloading your VPN infrastructure.
Longer term, this zero trust network access security posture can be continue to be used when people return to the office.
Project 2: Identity-based segmentation
Identity-based segmentation, also known as micro or zero trust segmentation, is an effective way to limit the ability of attackers to move laterally in a network once they’re in.
Identity-based segmentation reduces excessive implicit trust by allowing organisations to shift individual workloads to a “default deny” rather than an “implicit allow” model. It uses dynamic rules that assess workload and application identity as part of determining whether to allow network communications.
When starting an identity-based segmentation strategy, start with a small collection of most critical applications and servers for initial implementations and expand from there.
Once you have implemented ZTNA and identity-based segmentation, move on to other initiatives to extend a zero trust approach throughout your technology infrastructure.
For example, remove remote admin rights from end-user systems, pilot a remote browser isolation solution, encrypt all data at rest in the cloud and start scanning containers that your developers are creating for new apps.