Implementing zero-trust security is not an easy feat, but enterprises can still get it right if they approach it from a process perspective and get a handle on their infrastructure footprint
Traditional approaches to cyber security have not been too different from medieval warfare, when warlords dug moats around their castles to keep intruders at bay.
There were clearly defined perimeters – people on the inside were trusted, while those outside were not. Likewise, in perimeter-based security, an organisation’s data and users within the enterprise were trusted, and those outside the firewall were viewed with suspicion.
But now that applications and data have moved out and exist inside traditional perimeters and the public cloud, traditional security models have struggled to adapt.
Nick Savvides, senior director for strategic business at Forcepoint Asia-Pacific, said this shift had fuelled the rise of zero-trust security, which moves the perimeter from a simple concentric model, with an inside and an outside, to one where the perimeter is defined around the data, the user and the service being accessed.
“It eliminates the traditional perimeter and assumes that when accessing a service or data, no user or device can be trusted until proven otherwise before every access,” said Savvides. “This means the user and the device must be strongly identified and the controls applied at the point of access.”
However, the concept behind zero-trust security that treats all users and data equally, wherever they are, is hard to adapt to for enterprises that are used to thinking about security in terms of trusted and untrusted network segments.
And it does not help that the concept gets warped by supplier messages, said Simon Piff, vice-president of security practice at IDC Asia-Pacific. “No single vendor spans the entire needs of enterprise security, and as vendors are the main source of information for most users, it’s a challenge to fully grasp the breadth of the zero-trust concept,” he said.
Instead, what often happens in IT security is that the current and most important risk gets prioritised, said Piff. For many enterprises, the current focus during the Covid-19 pandemic is to ensure secure remote access.
“Organisations across the region rushed to offer remote access and then figure out how to secure it later,” he said. “But securing remote access is not as easy in the new Covid-19 paradigm. If the employee was issued with a corporate laptop, and the organisation was already offering remote access, then the issue was largely resolved.”
But many employees have had to use their own hardware, which might not have the right endpoint security, password protection and overall security levels of a corporate system.
Piff said this transferred the problem to IT administrators, who had to consider higher levels of device monitoring – even though not every role requires that level of oversight based on existing IT policies. “And so, process and permissions need to get approved, and in all that time, a risk exists,” he added.
Kevin O’Leary, Palo Alto Networks’ field chief security officer in Asia-Pacific, said he had observed a similar trend, noting that organisations had focused on implementing remote work technologies, along with cost-saving initiatives aimed at consolidating security products to provide cheaper security without degradation in managed risks.
“With a remote workforce, zero trust becomes ever more important,” he said. “I would expect renewed interest when the two areas of development are also addressed.”
Implementing zero-trust security
When implementing the zero-trust security model, enterprises need to understand how to protect the 3Ws – workforce, workplace and workloads – according to Kerry Singleton, managing director for cyber security at Cisco Asia-Pacific, Japan and China.
Workforce: Protect users and their devices against stolen credentials, phishing and other identity-based attacks. This can be done by using tools such as multifactor authentication to ensure the right user and device are accessing any network. These tools can verify users’ identities, gain visibility into every device, and enforce adaptive policies to secure access to every application. For users, it is a one-tap-approval two-factor authentication (2FA) that then gives security teams visibility into what devices they are using, whether they are managed or unmanaged, before they are given access to company applications.
Workplace: Ensuring that the office network is adequately protected so that IT teams can gain insights into users and devices, identify threats and maintain control over all connections in the network. This entails adopting software-defined access to secure access in the workplace, including requests within a corporate network, such as those coming from internet of things (IoT) devices, local users and network-connected devices.
Workload: Protecting the flow of information across the network, right from datacentres to the cloud and to endpoints. Enterprises can consider tools that offer effective application workload protection across multicloud datacentres by containing the lateral movement, proactively identifying workload behaviour anomalies and reducing the attack surface.
Beyond tools, enterprises will need to approach zero-trust security from a process perspective. Palo Alto Networks has developed this five-step methodology to help enterprises simplify zero-trust implementations:
Define your protect surface: This is about defining the sensitive data that enterprises need to protect. All critical data, application, assets or services (DAAS) need to be considered when defining the protect surface.
Map the transaction flows: To design a network properly, it is critical to understand how systems should work. The way traffic moves across the network, specific to the data in the protect surface, determines how it should be protected. This understanding comes from scanning and mapping the transaction flows inside the network to determine how various DAAS components interact with other resources on the network. Zero trust is a flow-based architecture. Once enterprises understand how their systems are designed to work, the flow maps will indicate where controls need to be inserted.
Architect a zero-trust network: Zero-trust networks are bespoke, not universal in design. With the protect surface defined and flows mapped, the zero-trust architecture will become apparent. The architectural elements begin with deploying a next-generation firewall as a segmentation gateway to enforce granular Layer 7 access as a micro-perimeter around the protect surface. With this architecture, each packet that accesses a resource inside the protect surface will pass through a next-generation firewall so that Layer 7 policy can be enforced, simultaneously controlling and inspecting access.
Create the zero-trust policy: Once the zero-trust network has been architected, enterprises need to create the supporting zero-trust policies following the Kipling method, answering the who, what, when, where, why and how of their network and policies. For one resource to talk to another, a specific rule must whitelist that traffic. Such granular enforcement of Layer 7 policy ensures that only known traffic or legitimate application communication is allowed in your network. This will significantly reduce the attack surface while decreasing the number of port-based rules enforced by traditional firewalls.
Monitor and maintain the network: This last step means continuously looking at all internal and external logs through Layer 7 and focusing on the operational aspects of zero trust. Inspecting and logging all traffic on the network is a pivotal facet of zero trust.
Pitfalls to avoid
Although zero-trust security has its benefits, there are common pitfalls too, according to Siddharth Deshpande, director of security strategy at Akamai Asia-Pacific and Japan.
The first is considering zero trust from a purely technological perspective. Deshpande said it was important to understand the business value and the broader implications of the model as well, ensuring there is direct alignment with the enterprise’s business network and processes. This would involve a wider section of stakeholders in discussions around what approach to take.
“Spending time trying to secure networks is a futile, misguided expense that should be diverted to monitoring and analytical tools”
Simon Piff, IDC
Second, selecting a trusted partner can also determine the success of businesses’ zero-trust model deployment. Organisations should look at collaborating with suppliers that have proven expertise in security and cloud-based edge computing, while cross-referencing supplier rankings by research firms.
Finally, Deshpande said organisations should adopt zero-trust approaches that can co-exist with existing security architecture. Although there are benefits in replacing legacy technologies with newer approaches, this does not have to happen in a disruptive manner.
“Zero trust is a journey, and it is possible to start small and grow incrementally, rather than having to rip and replace multiple elements of the security technology stack overnight,” he said.
IDC’s Piff stressed the importance of understanding typically large, sprawling and amorphous enterprise systems when adopting zero trust.
“I have yet to hear of a CEO who, when presented with an updated security architecture, did not learn that they have 20% more ‘systems’ than they thought they were managing,” he said. “So, understanding what you have, and their dynamic nature, is probably the most critical first step. If you don’t fully understand your system, you cannot possibly protect it.”
Piff also advised enterprises to assess the unique risks faced by their organisation. “Most IT security investments follow the shiny new concern and are not based on long-term strategic plans,” he said.
“The biggest concern is that many security professionals have evolved from a network security background, and the network is, by definition, untrusted these days. So, spending time trying to secure networks is a futile, misguided expense that should be diverted to monitoring and analytical tools.”
Ransomware attacks were one of the top causes of data breaches in Australia during the first half of this year, according to the latest statistics report from the Office of the Australian Information Commissioner.
