Lean into zero trust to ensure security in times of agility
Bad actors are rapidly mounting phishing campaigns, setting up malicious websites and sending malicious attachments to take full advantage of the pandemic and users’ need for information, their fears and other emotions. More often than not, the goal is the compromise of login credentials.
Many organizations grant more trust to users on the intranet versus users on the internet. Employees working from home – while unknowingly browsing potentially malicious websites and clicking on doctored COVID-19 maps that download malware – are using company laptops and VPNs to connect to the corporate network and from there are granted a much wider degree of latitude in terms of access to different resources.
Once a user’s credentials are compromised, this implicit trust associated with a user’s locality of access from the intranet can be taken advantage of to spread malware laterally within the organization. It’s clear, therefore, that it’s no longer possible to tackle security with an internet-versus-intranet approach, where assets within the network perimeter are considered safe.
A good way to navigate this minefield and secure an organization is to assume that everything is suspect and adopt a zero trust approach. Zero trust aims to eliminate implicit trust associated with the locality of user access, for example users on the Intranet versus the Internet, and moves the focus of security to applications, devices, and users.
Here are a few key points to bear in mind when embarking on a zero trust journey:
Zero trust is a journey, not a product
What’s truly important to understand about zero trust is that it isn’t a product or a tool. Zero trust is a framework, an approach to managing IT and network operations that helps drive protection and prevent security breaches. Zero trust aims to have a consistent approach to security, independent of whether a user is accessing data and applications from the intranet or the internet.
In striving for this, zero trust actually attempts to simplify security by eliminating the need for separate frameworks, separate tools and separate policies for security based on locality of access (e.g., having a dedicated VPN infrastructure for remote access).
It also ensures that users have a consistent experience independent of the where they are working from. By putting the emphasis on applications, users and devices and eliminating implicit trust associated with internal networks, zero trust essentially aims to reduce the overhead associated with managing different security infrastructures associated with external vs internal boundaries. Zero trust aims to accomplish this by requiring a comprehensive policy framework for authentication and access control of all assets.
Visibility is the cornerstone for zero trust
The key to implementing zero trust is to build insight into all assets (applications, devices, users) and their interactions. This is essential in order to define and implement a comprehensive authentication and access control policy. A big challenge that security teams face today is that access control policies tend to be too loose or permissive or tied to network segments rather than assets, thereby making it easier for bad actors to move laterally within an organization.
By putting the emphasis on assets and building out an asset map, policy creation and enforcement can be simplified. And because the policies are tied to assets and not network segments, the same set of policies can be used regardless of where a user is accessing data and applications from.
Discovery of assets can be achieved in many ways. One excellent approach to asset mapping and discovery is to leverage metadata that can be extracted from network traffic. Network traffic makes it possible to discover and enumerate assets that may be missed through other mechanisms. Legacy applications as well as modern applications built using microservices, connected devices and users, can all be discovered through network traffic visibility, their interactions mapped, thereby facilitating the building of an asset map baseline. Having such a baseline is critical to building the right policy model for authentication and access control.
Encrypt everything
While authentication and access control are essential in the world of zero trust, so is privacy. Authentication ensures that end points of a conversation know who is at the other end. Access control ensures only the permitted assets can be accessed by the user. However, it is still possible for a bad actor to “snoop” on valid communication and through that get access to sensitive information (including passwords and confidential data).
An area of implicit trust in many organizations is that communication on the company intranet tends to be in clear text for many applications. This is a mistake. We should not assume that communications on the company’s internal network is secure simply by virtue of being on the company’s network. When carrying out any transaction on the Internet we use TLS (“https”), which encrypts the data.
Communication on the intranet should be no different. We should work under the assumption that bad actors already have a footprint on our company’s network. Consequently, any communication between users, devices and applications should be encrypted to ensure privacy. This is yet another step to ensuring that a consistent security framework can be used for users on the internet and on the intranet.
Of course, encrypting all traffic on a company’s network makes it harder to troubleshoot application problems and network issues, and makes it harder for security teams to identify threats or malicious activity. Additionally, in specific verticals, this can make compliance a challenge due to the inability to keep activity logs of specific required activity. For this reason, leveraging a network-based solution for targeted network traffic decryption may be beneficial when moving towards a model where all traffic on the intranet is encrypted.
Implement a continuous monitoring strategy
Corporate networks are not static. They are continuously evolving with new users, devices, applications being added and old ones being deprecated. In these times where capacity is dynamically scaled up and down, new applications are being quickly brought to market, and more IT and OT devices are coming online, the network has never been more dynamic.
Cloud migration is further changing the very nature of a network and the notion of what is “internal” vs “external”. Putting in place a framework for authentication, access control and encryption is half the solution. The other half is putting in place a continuous monitoring strategy to detect changes and to ensure that either the changes are compliant with the policy or the policy evolves to accommodate the changes. Monitoring network traffic provides a non-intrusive and yet reliable approach to detecting changes as well as identifying anomalies.
Network-based monitoring can be used in conjunction with endpoint monitoring to get a more complete view. In many situations network-based monitoring can be used to pinpoint applications and devices for/on which endpoint monitoring has been turned off either inadvertently or maliciously, or where endpoint monitoring cannot be implemented.
Once bad actors get a footprint on a system they typically attempt to turn off or work around endpoint monitoring agents. Monitoring network traffic provides a consistent and reliable stream of telemetry data in many of these scenarios for threat detection and compliance.
As organizations are being forced to turn towards the work-from-home paradigm, the need to rapidly scale applications and infrastructure will continue to put stress on different teams within the organization. Pandemic or no, some of these changes will become permanent. In other words, in many cases there may not be a “going back to how it used to be”. Embracing the move to a zero trust framework will help ensure that as organizations adapt to a new normal, security continues to keep pace and serves as an umbrella of protection within which agility and innovation thrive.