How zero trust strategies reduce risk and save serious cash
This is something that’s not new but has gained fresh impetus, importance and is, now, imperative argues consultant Paul Rummery…
The old-school network security and access control solutions – firewalls, VPNs, VLANs, user directories and network access controls – are not equipped to support today’s IT reality. Too many organisations don’t know who is accessing what and when. This has only got worse through the pandemic.
Where we’re at… the problem
Two decades ago, applications sat on servers in one room. A firewall perimeter between IP addresses and servers controlled access. Effective – if everything stayed in one place.
Today, applications sit in clouds, hybrids, on third-party managed hosting platforms, in corporate data centres and more. Containerisation and unmanaged endpoints are becoming normal, a global pandemic changes network access demands dramatically, users are accessing sensitive data and applications from anywhere and everywhere. Coffee shops, on hotel wi-fi, home offices – the problem only gets bigger – creating issues for operational IT and maintaining compliance.
Clearly, information security technical controls must become more virtual or software-based. Organisations have to ensure only authorised employees are accessing corporate resources, especially those that third parties host and maintain. Cyber threats are just as likely to come from inside an organisation as they are from the outside.
Ransomware attacks rely on lateral movement and continue to impact enterprises. Organisations don’t know who is accessing what and when, more than ever people are accessing corporate resources with their own devices. To top it all off, VPNs, firewalls, intrusion prevention tools are not actually that secure, they are labour intensive and prone to error. Home office hardware is often misconfigured.
In zero we trust… the solution
We need to re-establish the security perimeter back where it belongs, with the user. Criminals can spoof or steal identities and passwords. Zero Trust secures access to critical systems, reduces the attack target surface and neutralises threats through 'never trust' controls to networks, applications and data.
Users can only access what they need and nothing else, based on identity-centric criteria like location, time, type of device, security patch levels – everything else is invisible.
RSA 2019 cited Zero Trust as one of the most important topics of the conference. “Forrester recently concluded that Zero Trust can reduce an organisation’s risk exposure by 37% or more. But it also found that organisations deploying Zero Trust can reduce security costs by 31% and realise millions of dollars in savings in their overall IT security budgets.”
Zero Trust is here out of necessity, which is why it should take priority in cyber security strategy and c-level discussions. Here are some of the myths debunked…
Myth #1 It’s hard
Many organisations shy away from Zero Trust because they don’t know where to start, or don’t think they can achieve it, predominantly because they don’t have the resources, or have a pre-existing mixed batch of technologies. Zero Trust is not an end-state. It’s a process that involves making changes and upgrades that improve security each time, and incorporating this process is definitely attainable.
Myth #2 I trust my people
This isn’t about not trusting people, Zero Trust helps to ensure that the right people are accessing the right systems. We need to securely enable access for the various users (employees, partners, contractors, etc.) regardless of their location, device or network.
Myth #3 I am starting from scratch
You can work with your existing processes, investments and infrastructure – easily integrate and unify your approach to zero trust.
Zero Trust is adopting the posture that everyone is a threat – verify everything. We talk about protecting or being mindful of ‘multiple attack vectors to your networks and data'... well why not eliminate those attack surfaces – by making all resources invisible until authenticated and authorised.
The principle of least privilege is one of the key practices that any security architecture should follow. But Zero Trust architecture advances the principle of least privilege. It ensures the right people have the right level of access, to the right resources, in the right context and that access is assessed continuously — all without adding friction for the user.
Zero Trust is designed with an identity-centric approach to authentication. Rather than a simple yes or no to confirm user access based on whether the IP address has privileges, it is dependent on the granular contextual variables surrounding a user’s access request, for example, user context, data access controls, location, app and device posture.
What does Zero Trust feel like?
It secures all connections within your applications. It provides micro-segmentation and encryption around the user session or device in real-time. It prevents data loss and leaks – encrypting traffic, device data and device ring-fencing. It also prevents the spread of ransomware. It simplifies policies – rather than trying to manage point solutions, Zero Trust can provide a single security framework for all users, devices, networks and infrastructure – applied in real-time to control access. It prevents lateral movement eliminating visibility to unauthorised resources.
And finally, many leading Zero Trust solutions either provide additional security features that integrate and extend to existing technologies securing all devices across your enterprise network, including IoT, servers, cameras, un-manned, HVAC systems, industrial control systems. Forrester and Gartner have outlined frameworks and leading technology vendors providing competent Zero Trust solutions.
Paul Rummery is a consultant for SecureNet Consulting