7 minute read
TRUST ISSUES
READY TO JUMP ON THE ZERO TRUST BANDWAGON? INDUSTRY EXPERTS EXPLAIN THE STEPS THAT WILL KEEP YOUR STRATEGY ON TRACK.
The hype around the Zero Trust model has reached a crescendo. It is being touted as the new necessary way of life for businesses as they transition from perimeter-based security to this new security methodology based on leastprivileged access.
Advertisement
For organisations looking to adopt a Zero Trust security model, it is important to understand some common myths and misconceptions. First of all, Zero Trust is not a product, and it doesn’t address any technology problems. No one call sell you a Zero Trust solution. Instead, it is all about a new security mindset that is centered around the idea that enterprises should not automatically trust anything without verifying users, devices, and networks.
What is driving the growing appetite for Zero Trust architecture?
“With the continued growth of the bring your own device (BYOD) and work-fromanywhere (WFA) phenomena, more and more employees need to have access to their organisation’s internal resources from any place at any time. It is worth highlighting that the pandemic saw a gigantic increase in brute-force attack attempts against the remote desktop protocol (RDP), demonstrating the high interest of cybercriminals in taking advantage of the current remote work situation,” says Alain Penel, Regional Vice President – Middle East & Turkey, Fortinet.
Another component driving Zero Trust is the growing adoption and use of storage services in the cloud. The cloud often hosts the data, resources, and even the critical services of organisations, he says.
Frank Kim, SANS Fellow and Information Security Consultant, says with the increased use of cloud services and modern architectures relying on APIs and microservices, the computing landscape has changed. The older perimeter-based model is untenable for these modern architectures. Zero Trust helps CISOs and security leaders incorporate other important “perimeters” such as identity, application, and data protections that take these new paradigms into account.
Ashraf Sheet, Vice President – META, Swimlane, agrees: “An increase in cloud-based environments and more
Alain Penel
Frank Kim
remote workers logging in from anywhere have transformed traditional security strategies. Because the corporate network and data are accessible from any location, new vulnerabilities become exposed. Rather than assuming that internal users of a network are safe, modern security frameworks need to accommodate these new risks. Zero Trust is the best way to counter these new challenges.”
Zero Trust has grown in popularity recently among technical and nontechnical audiences, says Bachir Moussa, Regional Director – MEAR, Nozomi Networks.“It’s simple to grasp the factors contributing to this success: the trustby-design methodology is out-of-date and has demonstrated how disastrous outcomes can occur when a device or application is trusted a priori without taking context into account. With data and applications operated on remote cloud services and an increase in the usage of mobile and IoT devices, the security perimeter strategy is no longer as effective today,” he adds.
Key principles of Zero Trust
With so many definitions of zero Trust around, security leaders must cut through the noise and understand the basic tenets.
Trust nothing. Ever, says Harish Chib, vice president Middle East & Africa, Sophos. “For when you trust nothing, you are forced to seek relevant security measures wherever there is a risk. Verify everything. Do not assume that passing a check naturally affords Trust. Having credentials doesn’t mean you are trustable. It just means you have credentials. And credentials can be stolen,” he warns.
Sajith Kumar, General Manager – Enterprise at Cloud Box Technologies, says for successful implementation of zero trust security - Identify, Protect, Detect and Respond is key. Organisations must expand their focus from protecting the network perimeter to individual systems and services. Conventional perimeter-based security strategies require one to identify and protect all potential vulnerabilities around network devices with policies that control the account for every possible flaws.
As your surface of network perimeters grows with public cloud, hybrid work force, remote users, data centers and other complications, the possible attack surface also grows more complexities, he says.
Penel from Fortinet says with zero Trust, no devices are allowed to connect to corporate resources freely. Instead, any user or device requesting access must provide validated credentials. Even then, they are only permitted to access the minimally required resources needed to do their job.
“By denying all unvalidated traffic by default, bad actors and compromised devices can’t even ping the network to explore its resources, let alone the rest of the network. Organisations must adopt two critical strategies to implement a true zero trust approach to cybersecurity: zero trust access (ZTA) and zero trust network access (ZTNA),” he says.
Can enterprises leverage their existing security infrastructure to transition to zero trust security?
Joseph Carson, Chief Security Scientist & Advisory CISO, Delinea, says organisations implementing the Zero Trust security model quickly find that it’s the opposite of how they have traditionally approached network security. Switching from trusting everything to trusting nothing—and always verifying— could increase friction for employees and have a negative impact on productivity if appropriate measures are not taken.
He adds it’s imperative to have a holistic approach to security, ensuring that all systems are integrated, flexibly respond to different threats, and provide high levels of automation for minimal friction. A successful Zero Trust security model means prioritising zero friction security. When you implement security controls, they must be better than the previous experience.
According to Kim from SANS, since Zero Trust is not a product but an approach and architecture that allows us to realise key principles, you can definitely use existing security infrastructure to enable Zero Trust capabilities. Existing
Harish Chib Joseph Carson
Sajith Kumar
approaches like client-side certificates and TLS can be used to ensure all traffic is encrypted. “Existing tools can be used to maintain visibility. Of course, using cloud services and cloud-first solutions can make this easier, but Zero Trust can be applied to existing environments as well,” he says.
Sheet from Swimlane says there are some best practices to keep in mind as part of a transition to Zero Trust security. First, security teams should begin the transition by assessing the specific risks that threaten the organisations and considering the data stored and transmitted across the network.
After assessing the specific risks, teams should consider implementing microsegmentation. This protects against internal threats and is a central step on the road to implementing least-privilege access across the organisation. Finally, with micro-segmentation and encryption in mind, consistent and repeated verification is one of the most important practices in a Zero Trust framework.
“Whenever a user wants to access a new part of the network or some new information, a verification process must be established. Overall, it is important to remember to continuously collect and analyze data from the network and security environment to validate and quantify its efficacy. A low-code security automation platform can play an instrumental role, serving as a system of record for all security operations,” he sums up.
THE EXPERTS SPEAK
THE MOST BASIC EXPLANATION OF ZERO TRUST IS IN THE NAME: TRUST NOTHING. AUTHENTICATE, AUTHORIZE, AND CONTINUOUSLY VALIDATE ALL USERS, DEVICES, AND OTHER RESOURCES. WITH THE NOTION OF ZERO TRUST, FOR EXAMPLE, WE NO LONGER LOOK AT A “TRUSTED” INTERNAL NETWORK VERSUS AN “UNTRUSTED” EXTERNAL NETWORK, NOR DO WE THINK OF THE NETWORK PERIMETER AS THE “EDGE” FOR SECURITY. INSTEAD, TODAY THE EDGE IS THE ACCESS POINT SOMEONE IS USING TO TRY TO REACH RESOURCES.
Toni El Inati - RVP Sales, META & CEE, Barracuda Networks
ZERO TRUST ASSUMES THE NETWORK HAS BEEN COMPROMISED AND CHALLENGES THE USER OR DEVICE TO PROVE THAT THEY HAVE AN ACCEPTABLE RISK LEVEL. IT REQUIRES STRICT IDENTITY VERIFICATION FOR EVERY USER AND DEVICE ATTEMPTING TO ACCESS RESOURCES ON A NETWORK, EVEN IF THE USER OR DEVICE IS ALREADY WITHIN THE NETWORK PERIMETER. “ZERO TRUST ALSO PROVIDES THE ABILITY TO LIMIT ACCESS ONCE ANYONE IS INSIDE THE NETWORK, PREVENTING AN ATTACKER FROM EXPLOITING LATERAL FREEDOM THROUGHOUT AN ORGANIZATION’S INFRASTRUCTURE.
Bahaa Hudairi, Regional Sales Director – META, Lookout
IN A ZERO TRUST ARCHITECTURE, THE AUTHORISATIONS ARE VERIFIED AT EACH ACCESS ACROSS SEGMENTS. IF THERE’S ZERO TRUST IN THE SECURITY TOKEN THAT WAS ASSEMBLED EARLIER, WE’RE GOING TO GENERATE IT AGAIN OR AT LEAST CONFIRM THE ELEMENT RELEVANT TO THE ACCESS BEING MADE ARE STILL VALID. ZERO TRUST STILL RELIES ON THE FOUNDATIONAL CONTROLS AND TECHNOLOGIES THAT MOST ORGANISATIONS STILL FAIL TO GET RIGHT, SUCH AS VULNERABILITY MANAGEMENT, PATCH MANAGEMENT, CONFIGURATION MANAGEMENT, IDENTITY AND ACCESS MANAGEMENT, ENDPOINT PRIVILEGE MANAGEMENT, SECURE REMOTE ACCESS AND PRIVILEGED PASSWORD MANAGEMENT. THERE ARE MORE, BUT THOSE ARE THE ‘POSTER CHILDREN’ AS MOST SUCCESSFUL ATTACKS BEGIN WITH A GAP IN ONE OR MORE OF THOSE.”