10 minute read
TRUST NO ONE
HOW A ZERO TRUST MODEL CAN BOLSTER YOUR SECURITY ENVIRONMENT
The pandemic has triggered an unprecedented rise in cyber-attacks. The growing reliance of digital platforms has opened up new avenues for bad actors to exploit. Cybercriminals have used the trend of remote work to launch phishing and ransomware attacks targeting employees working from home. This has sharpened the need for zero trust security, a model that calls for strict authentication and verification of access to all resources.
Advertisement
Zero trust is starting to become an integral part of basic security architecture and according to industry experts, will soon become the new normal for cybersecurity.
“The age of the corporate network and single security perimeter is coming to an end,” says Ajay Nawani, Director Sales Engineering, MEA, Sophos, explaining why zero trust will become the new normal in 2021. “In today’s time of fluctuating lockdowns and the new normal of work life, users are increasingly working remotely, conducting their work over the public internet. The pandemic has accelerated the digital transformation needs and has given rise to usage of software-asa-Service (SaaS) apps, cloud platforms, and other cloud-based services that have eroded the efficacy of using the network as the primary element to secure a resource. In this new normal way of working, organisations can no longer rely on a single, sealed-off corporate network and afford trust to all the systems that reside within it. All these have made zero trust the only approach for cybersecurity in today’s dynamic times.”
Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint, say zero trust was already a buzzword in cybersecurity before the pandemic. However, the COVID-19 pandemic has paved the way for organisations to look more closely at zero trust security.
“COVID-19 has triggered a shift to
Ahmed Safwat
remote working globally, which in turn has increased organisations’ attack surfaces, making them potentially more susceptible to targeted attacks and cementing the notion that people are the new perimeter,” he says.
The latest Proofpoint report has shown that while 82% of infosec professionals admitted their workforce shifted to working from home in 2020, a mere 30% trained users on safe remote working habits. While some offices are reopening, remote working will continue to be more prevalent and further amplify the need for a tighter, more flexible security strategy; and this is where zero trust will become crucial, coupled with an ongoing, comprehensive employee security awareness training programme.
Ahmed Safwat, Presales Consultant at A10 Networks, agrees that the pandemic has accelerated the investment in zero trust access. “2020 was the year of understanding what the zero trust model is in a practical sense. Throughout the year, we saw security vendors align their solutions with the zero trust model, adjust the model as we got more clarity on what it means to be a zero trust user, device, or network, and explore the policy changes necessary to a successful implementation of the zero trust model. As the COVID-19 pandemic fast-tracked the move to SaaS and made the “work from home” model mainstream, the importance of zero trust security has gained critical importance,” he says.
What are the key factors for security pros to consider while planning for a zero trust architecture?
Ram Narayanan, Country Manager, Check Point Software Technologies Middle East, says implementing zero trust security can dramatically decrease an organisation’s cyber risk. Additionally, this model can help to improve threat detection and increase visibility into an organisation’s internal network. “The key factor is to create a network segmentation by placing multiple inspection points within the network to block malicious or unauthorised lateral movement; so in the event of a breach, the threat is easily contained and isolated.”
Toufic Derbass, MD of Middle East and Africa at Micro Focus offers, another perspective: “Zero trust is not a single technology (though it’s sometimes described that way), but a collection of activities working together to give you the best protection possible as your information travels across devices, apps, and locations around the world. You don’t have to have all these technologies or adopt them all at once. Just keep in mind that they function best in concert, so it’s important to sync everything up as you go along.”
Giuseppe Brizio, CISO EMEA, Qualys, says it is essential to start defining a strategy and creating awareness about zero trust within the organisation by engaging key stakeholders and explaining how cyber risks could endanger business whilst explaining how the zero trust strategy will mitigate those risks. “Considering the wide span of the zero trust model, the strategy jointly developed with business functions, combined with rigorous risk-based approach, will help you define priorities when it comes to applying zero trust,” he says.
Ram Narayanan Giuseppe Brizio
Never trust, always verify
With credential stealing emerging
Sinan Eren
Candid Wüest
as a key attack vector, multi-factor authentication is a core pillar of the zero trust model.
“Based around the notion of ‘never trust, always verify’ zero trust is built on secure authentication techniques such as multi-factor authentication (MFA) and authorisation policies like least privilege access to ensure only legitimate users and devices get access to the corporate resources they need, and no more. It also supports the flexible, remote workforce of today by working anywhere, anytime, on any device,” says Sinan Eren - VP, Zero Trust Access – Barracuda.
MFA, which requires users to complete two or more verification methods to access a company network, system, or resource and should be the standard for all organisations, according to Candid Wüest, VP of Cyber Protection Research at Acronis.
He adds zero trust goes beyond MFA. “It will analyse the requests made by the user even if the first authentication succeeded, as it could be a compromised machine where the attacker hijacked the legitimate VPN connection, an elaborate phishing attack that stole and reused the MFA token in real time or even an insider attack. For example, you would not want to grant ‘Paul’ from marketing full access to the financial salary database, just because he authenticated his VPN correctly with MFA.”
Mistakes to avoid
Zero trust isn’t free from pitfalls and implementing it is not an easy feat. It’s important for CISOs to understand the risk factors and how to overcome them.
“Don’t set up zero trust as synonymous with a point in time or with a product. In that lies pain and disillusionment. Instead, use it as a guiding principle and use it to solve the biggest problem in security — the lack of alignment with most businesses. Remember it’s one factor in the architecture, not the only one, and it’s a good tool to use for progressive improvements to a security program,” says Sam Curry, chief security officer, Cybereason.
Shift your current mindset and don’t think of networking and security as separate, says Ali Sleiman,Regional Technical Director, MEA at Infoblox. “The implementation of a Zero Trust architecture requires you to step back from your current architecture and begin with basic analysis. You must identify your sensitive data stores, both in the cloud and on-premise. These are the data stores that contain critical information that is protected by regulation (compliance) and hold critical customer, partner, and employee sensitive data that must be protected by many layers of policy related to security, governance, and more,” he says.
He adds you also need to identify which data is toxic and restricted to the absolute minimum based on demystifying the user and driving access to your network and data based on authoritative real-tme information that can determine what role in organisation this user has, where are they connected from (location and device) and what is their destination.
Narayanan from Check Point says zero trust is useless without the ability to enforce it. An organisation may develop role-based access control policies, but, if inappropriate access requests are not detected and blocked, then this provides little benefit. Even inconsistent enforcement across the enterprise network is problematic since sensitive data and resources may be located in areas with weak enforcement, enabling an attacker to gain access to them.
“Designing and implementing an effective zero trust architecture is a multistage process and organisations must follow the best practice of identifying data and assets that are valuable, classifying the level of sensitivity of each asset, create data flows and group assets with similar functionalities, define a segmentation gateway – physical or virtual, and finally define a least privilege access policy for each asset,” he sums up.
THE EXPERTS SPEAK
ZERO TRUST IS NOT A PRODUCT OR A SOLUTION: IT IS AN APPROACH OR FRAMEWORK THAT IT CAN USE TO ENABLE SECURE ACCESS FOR ALL APPLICATIONS, FROM ANY DEVICES, BY NOT ONLY ESTABLISHING TRUST BETWEEN THE DEVICE AND AN APPLICATION ONLY AT THE TIME OF LOGIN, BUT ALSO BY CONTINUOUSLY EVALUATING TRUST AT EVERY TOUCHPOINT.
Taj El-khayat, Regional Director Middle East & North Africa, Citrix
ZERO TRUST ARCHITECTURE HAS RECEIVED TREMENDOUS INTEREST IN THE CYBERSECURITY FIELD AND GAINED MARKET TRACTION OF LATE. WITH CYBER BREACHES ON THE RISE, THE WIDESPREAD SHIFT TO THE REMOTE WORKFORCE AND THE BUSINESS TRANSITION TO THE CLOUD HAVE POSITIONED THE ZERO TRUST APPROACH VERY STRONGLY AND FAVOURABLY AMONG CYBERSECURITY PRACTITIONERS AND OFFICERS. THE ZERO TRUST PHILOSOPHY IS BASED ON THE IDEA THAT USERS SHOULD HAVE ONLY THE BARE MINIMUM ACCESS THEY NEED TO PERFORM THEIR JOB.
Ray Kafity, Vice President - Middle East Turkey and Africa (META) at Attivo Networks
ZERO TRUST WAS ALREADY A KEY TOPIC IN SECURITY LONG BEFORE THE SPREAD OF THE COVID-19 VIRUS, BUT THE PANDEMIC DEFINITELY HELPED GENERATE MORE INTEREST IN THIS IDENTITY-BASED APPROACH TO SECURITY. AS ORGANIZATIONS SHIFTED TO REMOTE WORK, THE NETWORKS WERE NO LONGER SECURE AND THERE WAS A SENSE OF VULNERABILITY DUE TO THE LACK OF A CONTROLLED OFFICE ENVIRONMENT. AS MORE ORGANIZATIONS LOOK INTO IMPLEMENTING ZERO TRUST, IT IS IMPORTANT TO NOTE THAT WHILE IT IS ADVANTAGEOUS, ORGANISATIONS MUST IMPLEMENT NEW TECHNOLOGIES THAT PROVIDE ROBUST SECURITY MEASURES WITHOUT COMPROMISING THE USER EXPERIENCE. IN THE CONCEPT OF ZERO TRUST, CYBERSECURITY ADMINISTRATORS MUST RIGOROUSLY VERIFY THE IDENTITY OF EACH PERSON OR ENTITY THAT ATTEMPTS TO ACCESS NETWORK RESOURCES, FROM WITHIN THE COMPANY PERIMETER, OR REMOTELY. HOWEVER, EVEN ZERO TRUST MAY NOT GO FAR ENOUGH. THE NEW NORMAL OF WORKING HAS HAD A PROFOUND IMPACT ON THE NEW NORMAL OF CYBER SECURITY. WITH AN ENTERPRISE’S NETWORK EXTENDING TO WORKER’S HOMES AND PERSONAL DEVICES, THE NEW AGE OF THE ‘UNBOUND ENTERPRISE’ WILL DEMAND AN ADOPTION OF GARTNER’S SECURE ACCESS SERVICE EDGE (SASE) AS AN ARCHITECTURE FOR BRINGING SECURITY INTO A CONVERGED, CLOUD-DELIVERED PLATFORM.
Gihan Kovacs, Senior Country Sales Manager UAE and Pakistan, Forcepoint
ZERO TRUST IS A HIGH-END GOAL THAT WILL BECOME THE NEW NORMAL FOR CYBERSECURITY. THAT BEING SAID, REALISTICALLY, THE SUCCESSFUL ZERO TRUST IMPLEMENTATIONS THAT HAVE GONE FROM MARKETING TO REALITY ARE ONES THAT HAVE HAD ZERO TRUST DESIGNED IN FROM DAY ONE. TYPICALLY, THIS IS NOT SOMETHING EVERYONE CAN DO UNLESS THEY ARE EMBARKING ON A BRAND NEW INITIATIVE. TO PUT IT SIMPLY, IF YOUR ORGANISATION HAS NOT YET EMBRACED THE CONCEPTS OF PASSWORD MANAGEMENT, LEAST PRIVILEGE, AND SECURE PRIVILEGED REMOTE ACCESS, OR STILL MAINTAINS SHARED ACCOUNTS FOR ACCESS, ZERO TRUST IS A DISTANT GOAL AND NOT SOMETHING YOU CAN EMBRACE FIRST.
Morey Haber, CTO & CISO, BeyondTrust
THE ZERO TRUST PRINCIPLE HAS BECOME MORE AND MORE COMMON IN RECENT YEARS FOR MANY OBVIOUS REASONS. DX IS TRANSFORMING IT ENVIRONMENTS FROM THE LEGACY, DC-CENTRIC, PERIMETER BASED ARCHITECTURES TO A HIGHLY INTERCONNECTED MESH OF DISTRIBUTED NETWORKS, DEVICES, APPLICATIONS, WORKLOADS, DATA AND IDENTITIES, WHICH OPERATE IN A COMPLETELY HYBRID MODEL OF ON-PREM, CLOUD AND REMOTE SETUPS. IN ORDER TO SECURE THESE PERIMETERLESS DYNAMIC ENVIRONMENTS, AND BE ABLE TO SEAMLESSLY AND RAPIDLY ADAPT, THE ZERO TRUST SECURITY FRAMEWORK HAS BEEN DEVELOPED.
Wael Jaber, Vice President of Technology and Services at CyberKnight
