In the wake of the global Covid-19 pandemic, we find ourselves witness to a radically changed workforce paradigm. This shift ostensibly happened overnight in many cases, and one must wonder how much time was really spent finding a sage balance between accessibility and security. How many of these “good enough” solutions are now the regular guests in your security team’s nightmares? While saving our companies from the certain doom caused by remote access limitations, we may have positioned ourselves for the almost equally conceivable doom of falling victim to the constant barrage of cyberattacks.
If there were ever a time to go back to the basics and redefine our assumptions and consequently our defenses, that time is unmistakably now. A very noteworthy phenomenon in the field of security is that the typical organization relies on a vast and ever-increasing number of discreet security products to keep them safe. We forget that sometimes the absolute best security “tool” is a change in attitude.
Bad guys out, good guys in. This long-standing principle has shaped how enterprises approach information security for decades. Yes, I might be dating myself slightly, but not quite as much as when I regale you with stories about the punch card (I know… no clue). This long-standing principle is anchored in the premise that IT environments can be protected from malicious activity simply by making the perimeter bigger, stronger, and more resilient. It's a model that conjures comparisons to castles and moats, but it carries a twinge of irony, considering the foundation of the narrative that internal traffic is automatically trusted is now known to be a fairytale.
In the early phases of the COVID-19 pandemic, many businesses found themselves in a mad scramble to determine how to solve the seemingly insurmountable obstacles in making remote employee access possible without completely breaking all the customary security foundations. I can guess that in many of these meeting a valid question was posed on whether this was even a possibility at all.
Over the years there have always been reasons for employees to remotely access the core business system, and each of these remote access projects have brought their own security challenges. Meeting these challenges has largely been focused on a “fortify the castle” approach, and to a certain extent this has kept us on par with our cyber attackers.
The solutions have ranged from all kinds of VPN products through Next-Gen Firewalls to the most recent use of SD-WAN (SASE) deployments on the network. On the desktop side we’ve seen an omnium gatherum of SSL VPN solutions, End-Point Protection products, whitelisting tools up to the most advanced high-security VDI deployments. For many organizations, adding layer upon layer of these defenses over an extended period of time has caused the implemented cyber defenses to rely on a considerable number of legacy, on-premise and cumbersome point solutions. Fortifying the castle one wall, one moat and one drawbridge at a time, doesn’t allow for much architectural progress.
For a large percentage of organizations most – if not all – of these tools were deployed from the perspective that most employees were situated inside the fortress’ high wall. Immediately after the world abruptly transitioned to a remote workforce, effectiveness of the cyber defenses and visibility into issues dropped significantly.
Organizations that previously had tight control of the user’s endpoint found themselves struggling to push security updates from their central location onto the bandwidth constrained home networks. Ironically, the tighter the pre-covid security stance had aligned to central control, the larger the problem they now faced.
Zero-trustsecurity proposes a very different model – one grounded in the assumption that all users, devices and transactions are already compromised, regardless of whether they're inside or outside the castle’s wall (aka firewall). That perspective drives a new strategy for network security architecture.
Zero trust is not a technology, nor is it a product. It is a“strategic, architectural approach to network security enabled by technology”. Reflecting the increasing complexity of making network security choices, the concept of zero-trust was first articulated by Forrester Research around 2010. So,it has been around a while, but it gained a lot of traction in recent years when Google adopted it as its intrinsic security model.
Zero trust’s underpinning lies in a security architecture that withholds access until a user, device or even an individual packet has been thoroughly inspected and authenticated. Even then, only the least amount of necessary access is granted. A one-liner commonly assigned to zero-trust security is "never trust, always verify," definitely a sharp reversal from the old "trust but verify" approach to security.
I’m not implying that the walls, moats, and drawbridges are no longer necessary in the defense of your castle, but rather I’m encouraging the consideration of enhancing your approach by also checking every person in the castle – under the assumption that they might have scaled a wall or swam the moat – and then limiting them to smaller portion of the castle.
Zero-trust security embraces the use of more precise and stringent network segmentation, creating what are sometimes called micro-perimeters throughout the network to prevent lateral movement. The goal is that when – not if – a breach occurs, an intruder can't easily access sensitive data by hopping VLANs, for example.
Policies and governance also play an important role in a zero-trust architecture, since users should have the least amount of access required to fulfill their duties. Granular control over who, what, where and when resources are accessed is vital to a zero-trust network.
A legacy, perimeter-based approach to security simply no longer protects organizations from the increasingly common and destructive identity- and credential- based attacks. The sudden shift of the workforce to the outside of the castle walls has increased the possible attack vectors dramatically. All by itself it couldn’t have changed the security paradigm –years of attack evolution in the APT realm have presented plenty of reasons and incentives – but it has certainly contributed to the urgency of the paradigm change.
In summary, no matter how flashy the firewall, it won't prevent an attacker who's obtained stolen login information from wreaking havoc without highly granular segmentation and access policies. Contrary to the assumptions in traditional security models, user identity inspires one of the lowest degrees of confidence, because it's reasonable to assume that the person logging in with Jane from accounting's username and password may not be Jane from accounting.
Transitioning to the zero-trust security model is also a matter of keeping pace with other evolutions in IT. Users no longer fetch data and applications solely from a desktop computer at a fixed location via conventional enterprise data centers. From remote workforce to mobility to cloud to microservices, traditional perimeters are crumbling.
Karl is an active Certified Information Systems Security Professional (CISSP) and has over 30 years of experience in both operating and defining business critical infrastructure.
Learn what GCSIT is doing in the Digital Workspace to help enable the new workplace paradigm.
Check out how Automation can help your company keep up with change.