Security and risk management leaders need to move beyond the zero trust hype and implement two key projects to reduce risk
We are operating in the most complex cybersecurity landscape that we’ve ever seen. While our current ability to detect and respond to attacks has matured incredibly quickly in recent years, ‘bad actors’ haven’t been standing still. A pandemic-focused year made the events of 2020/21 unprecedented in numerous ways, and the cyber attacks were no different.
As the world transitioned to virtual everything – work, school, meetings and family gatherings – attackers took notice. Attackers embraced new techniques and a hurried switch to remote access increased cyber threats across the board.
Large-scale attacks, alongside ransomware attacks on critical infrastructure indicate that attackers have become increasingly sophisticated and coordinated. It is abundantly clear that the work of IT teams are critical.
Garmin – the navtech supplier suffered a cyber attack that encrypted some of its systems and forced services offline. Though Garmin first reported it as an outage, the company revealed that it was the victim of a cyberattack which resulted in the disruption of “website functions, customer support, customer-facing applications, and company communications.” The press release also stated there was no indication that any customer data was accessed, lost or stolen. Speculation rose that the incident was a ransomware attack, although Garmin never confirmed. In addition, several media outlets reported that they gave in to the attackers’ demands, and a ransom had been paid. Some news outlets reported it as high as $10 million.
Historically, security models depended on a “castle and moat” type of architecture, with the enterprise network and data centre on the inside, and firewalls guarding the perimeter. Anything located on the outside was considered untrusted. Anything on the inside was considered trusted.
However, trust based on physical location breaks down when users are mobile and when external partners require access. It creates excessive implicit trust – trust that attackers abuse.
Enter zero trust
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorised, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimise lateral movement. Rich intelligence and analytics are utilised to detect and respond to anomalies in real time.
The term “zero trust” is widely abused in security product marketing. However, it is useful as a shorthand way of describing an approach where implicit trust is removed from all computing infrastructure. Instead, trust levels are explicitly and continuously calculated and adapted to allow just-in-time, just-enough access to enterprise resources.
“Zero trust is a way of thinking, not a specific technology or architecture. It’s really about zero implicit trust, as that’s what we want to get rid of.”
A complete zero trust security posture may never be fully achieved, but specific initiatives can be undertaken today.
Assembly recommends that organisations looking to implement zero trust start with two network-related security projects.
Why start with the network?
TCP/IP network connectivity was built in a time when trust could be assumed. It was built to connect people and organisations, not to authenticate. Network addresses are weak identifiers at best. Zero trust networking initiatives use identity as the foundation for new perimeters.
Project 1: Zero trust network access (ZTNA)
In the past, when users left the “trusted” enterprise network, VPNs were used to extend the enterprise network to them. If attackers could steal a user’s credentials, they could easily gain access to the enterprise network.
Zero trust network access abstracts and centralises access mechanisms so that security engineers and staff can be responsible for them. It grants appropriate access based on the identity of the humans and their devices, plus other context such as time and date, geolocation, historical usage patterns and device posture. The result is a more secure and resilient environment, with improved flexibility and better monitoring.
The shift to a largely remote workforce during the COVID-19 pandemic has created intense interest in ZTNA, with media headlines proclaiming ‘The VPN is dead.’
Although VPN replacement is a common driver for its adoption, ZTNA typically augments, rather than replaces, a VPN. By allowing users access to what they need, and by shifting to cloud-based ZTNA offerings, you can avoid overloading your VPN infrastructure.
Longer term, this zero trust network access security posture can be continue to be used when people return to the office.
Project 2: Identity-based segmentation
Identity-based segmentation, also known as micro or zero trust segmentation, is an effective way to limit the ability of attackers to move laterally in a network once they are in.
Identity-based segmentation reduces excessive implicit trust by allowing organisations to shift individual workloads to a “default deny” rather than an “implicit allow” model. It uses dynamic rules that assess workload and application identity as part of determining whether to allow network communications.
When starting an identity-based segmentation strategy, start with a small collection of most critical applications and servers for initial implementations and expand from there.
Once you have implemented ZTNA and identity-based segmentation, move on to other initiatives to extend a zero trust approach throughout your technology infrastructure.
For example, remove remote admin rights from end-user systems, pilot a remote browser isolation solution, encrypt all data at rest in the public cloud and start scanning containers that your developers are creating for new apps.
Assembly Project One is an opportunity for organisations to improve cybersecurity postures and act rapidly to implement Zero Trust, including multifactor authentication and end-to-end encryption.