To accelerate business and remain competitive, organizations are rapidly adopting digital innovation (DI) initiatives including zero trust security models. This means business applications and data are now dispersed far and wide, away from the corporate premises, giving workers access to more corporate assets from many locations. For this reason, the traditional perimeter is dissolving, which opens the internal network to a growing attack surface—a top concern for CISOs.
In response to these threats, organizations need to take a “trust no one, trust nothing” approach to security. Specifically, CISOs need to protect the network with a zero-trust accecyberss (ZTA) policy, making sure all users, all devices, and all web applications from the cloud are trusted, authenticated, and have the right amount of access. Zero trust is critical to securing digital innovation, no matter what the nature of the individual project.
The Evolution of the Network Edge
For organizations of all sizes, DI initiatives drive business growth. One aspect of this growth is the proliferation of new network edges— private and public cloud infrastructures, Internet-of-Things (IoT) and mobile devices, software-defined (SD) branches—all of which generate an exponentially growing volume of data, applications, and workflows. To manage user access and interconnect an array of devices from different locations, both on and off the network, organizations are increasing the number of devices deployed at the edges of these networks.
For CISOs, this can be a nightmare. In recent years, there’s been an explosion of network edges, so much so that the traditional perimeter is dissolving, creating an open environment that is ripe for attack. Cyber threats are growing more prolific and continuously adapting. In the past, perimeter security was based on a “trust but verify” approach. But with so many users, devices, and applications on the network, it is hard to know which ones to trust. Exploits like credential theft and malware enable bad actors to gain access to legitimate accounts. And once in, those bad actors easily identify ways to maneuver laterally, spreading very quickly to take advantage of the flat and trusted internal network. Once they gain access to an edge device, infiltrators can launch attacks that can cause operational downtime, data theft, financial loss, and reputational damage.
For security leaders, it is impossible to keep up with the growing number of attacks using a traditional approach to network access. That is why there is a shift happening, from trusting everything on the network to not trusting things. With a well-functioning zero-trust access model, CISOs organize their approach using specific vulnerable areas of the network edge that can be considered untrustworthy: users, devices, and assets both on and off the network.
Know Who Is Connected to the Network
Security leaders need to know who is on the network at all times. However, organizations are at an increased risk when it comes to workers who use weak passwords to connect to the network. Because so many accounts now require credentials, many passwords are overly simplistic and easy to compromise through exploits like phishing attacks. It’s critical for organizations to know every user and what role they play in the company. Only with that knowledge can they securely grant access to those resources necessary for each role or job, while providing additional access to others on a case-by-case basis.
While bring your own device (BYOD) may be popular with users and managers alike, some CISOs overlook the dangers. The broad attack surface makes it easier for evolving threats to penetrate traditional perimeter defenses and move laterally inside the internal network, which is one of the ways breaches can remain undetected for so long. Some of the most damaging breaches have occurred through unauthorized users gaining access to the network or through inappropriate levels of access given to trusted users. BYOD is becoming ubiquitous within enterprises, but 83% of security leaders say their organizations are at risk from mobile threats.
Another challenge facing organizations is a geographically distributed workforce, where employees perform their jobs from various locations, from the corporate headquarters, to branch campuses, and increasingly, home offices. With so many users gaining access to the network remotely, there are many more opportunities for the attack surface to grow. For example, workers often connect using hotspots or public Wi-Fi networks in coffee shops, airports, automobiles, or on public transportation. This kind of connectivity poses significant security risks. Third parties can eavesdrop on all information that passes between the user and the corporate network. Attackers can exploit unpatched software vulnerabilities to inject malware into the endpoint device, to not only access local information but also gain access to the corporate network via the endpoint device.
These challenges become especially magnified in a majority-telework environment, which was a lesson learned by all organizations during the COVID-19 pandemic in 2020. Most organizations that had perhaps planned for fewer than 15 percent of their workforces to be based remotely suddenly had to ensure they had the right infrastructure and security controls for 90 percent or more.
These needs are part of why zero-trust access is so important. Since devices are constantly going on and off the network, it is critical to ensure that security leaders know which users are on the network, and that they have the right level of access. As employee roles change, such as a move from sales to operations, workers might not need access to the same areas they had in their previous role, and security teams should be able to effect a seamless transition.
Know What Is Connected to the Network
In addition to knowing who is on the network, security leaders need to know what devices are on the network at all times. However, the proliferation of mobile devices and IoT products has dissolved the traditional network perimeter into many microperimeters, which results in a much larger attack surface for the organization. Since each microperimeter is associated with each user device, endpoints become prime targets for malware infections and sophisticated exploits.
As a result of this explosion of endpoints and expanding attack surface, many organizations are fundamentally losing control of the network in the sense that they are no longer sure what devices are connecting to it. In fact, there is virtually no device configuration standardization for BYOD or IoT. In regardsto BYOD, mobile devices can put networks at heavy risk. This could be through data leakage, unsecured Wi-Fi, network spoofing, phishing, spyware, broken cryptography, or improper session handling. However, the greatest area of growth in the endpoint attack surface is from the explosion of IoT devices.
Cyberattacks on IoT devices are booming, as organizations connect more and more “smart” devices. Bad actors are exploiting these devices to conduct distributed denial-of-service (DDoS) attacks, as well as many other types of malicious actions.
To fully secure BYOD and IoT endpoints, enterprises must have visibility into where each device is, what it does, and how it connects to other devices across the network topology. Lack of visibility leaves an organization vulnerable to unseen risks. Security leaders must be able to track devices at the edges of the network. However, almost half of cybersecurity professionals say they do not have a plan in place to deal with attacks on IoT devices, even though nine out of 10 express concerns over future threats.4
Traditional network segmentation is used by some organizations, but it is difficult to define secure network-based segments that can be simultaneously accessible to all authorized users and applications and completely inaccessible to all others. Even best-effort segmentation leaves gaps in network defenses—access scenarios that network architects did not envision—which malicious actors can exploit.
In addition, organizations remain under attack if access permissions are based on assumed trust of vetted devices. Numerous organizations have been surprised by attacks from previously trusted employees and contractors. A lost or stolen device can reveal passwords that enable future attacks on the network. This is why a zero-trust approach is so critical. As cyber criminals focus on compromising the broad array of network devices, security leaders need better visibility and detection of every specific device connecting to the network.
Protect Assets Both On and Off the Network
Another significant problem for security leaders is the increasing use of mobile devices offline or on other networks, which presents security threats such as malware or botnets when those devices log back onto the corporate network. For example, many workers use their BYOD devices both for personal and business needs. They browse the internet, interact with others on social media, and even receive personal emails when not logged into the network. But when they rejoin the network after being online, workers can inadvertently expose their devices, and company resources, to a variety of threats such as viruses, malware, and other exploits.
This combination of personal and business usage of devices also comes at a time when most organizations are unable to keep up with the number of endpoints coming on and off the network. In a recent Ponemon Institute report, 63% of companies said they are unable to monitor off-network endpoints, and over half can’t determine the compliance status of endpoint devices.5 The sheer number of devices connected to the network obscures visibility across all endpoints. As a result, CISOs and security teams struggle to manage the significant amount of risk created.
By transitioning to a zero trust security framework that identifies, segments, and continuously monitors all devices, organizations can replace their high-risk, flat networks to ensure that internal resources remain secured, and that data, applications, and intellectual property remain protected. This strategy not only reduces the risks associated with perimeter-centric security strategy but also increases the visibility and control of off-network devices, while simplifying overall network and security management.
DI initiatives accelerate business outcomes. They also add strain to CISOs, their teams, and their resources because of how DI initiatives can expand and change the enterprise attack surface, opening up new attack vectors for cyber threats to exploit. Bad actors become more sophisticated and advanced, and the traditional perimeter security approach is no longer sufficient. Depending on the nature and sophistication of the threat, there is no single point in an organization’s security infrastructure that can see all aspects of the threat. With zero-trust access, CISOs can focus on the users and devices that are connecting to the network, confirming their identity and making sure they have just the right amount of access and trust.
One of the main reasons for the growing attack surface is due to the proliferation of IoT and smart devices that are coming onto the network. Security leaders often lack full visibility into the flood of devices accessing the network—and CISOs have learned hard lessons regarding what they can’t see that will hurt them. To fully secure all of these endpoint devices, enterprises need a zero-trust access policy across the entire network that provides visibility into where each devicTo accelerate business and remain competitive, organizations are rapidly adopting digital innovation (DI) initiatives including zero trust security models.e is, what it does, and how it connects to other devices across the network, as well as continuous monitoring to detect any behavioral anomalies that could indicate a threat.
As security leaders navigate a workforce that is working from a variety of locations and using both personal and business devices to access the network, they need a way to protect all endpoints at the network edge. With a zero trust security model, organizations can improve visibility of all devices on and off the network, enable advanced protection, and implement dynamic access control, all while reducing the attack surface.
Ever since mobile devices started to company applications via the internet, there has been an increasing need to implement a zero trust security. If you can’t trust the device, network, or connection, zero trust seems like an excellent idea. However, over in the past few years, there’s been a lot of confusion as to what it really means.
When did zero trust start? John Kindervarg published a paper about the zero trust concept back in 2010. He discussed how this type of security model works. Basically, the zero trust concept means enterprises should not trust any attempts to connect to an application or system inherently. They must be verified first before granting any level of user access.
The concept is very simple. You need to assume that all attempts are hostile. This may seem obvious but this particular concept is considered antithetical to the cybersecurity model of an organization. During the early 1990s, firms have been establishing a network architecture that comes with a secure perimeter through end point based controls, depending on the approved IP addresses, ports as well as protocols to authenticate data, applications, and users, which are then verified to communicate within the network.
On the other hand, a zero trust network security will treat all of the traffic, within or outside the perimeter as hostile. Unless the workload have been authorized they will be considered untrusted and will be blocked from any form of communication. Identity based rules will lead to a stronger security that goes with the workload regardless of where it communicates – in a hybrid environment, public cloud, container, or on-premises network architecture. Since the protection is considered environment agnostic, the services and applications are secured even when they communicate across the network environments, needing no policy updates or architectural changes.
An important aspect of a zero trust security is the least privilege access, which means it gets rid of the trust that users automatically have when they are inside the conventional network. With a zero trust security, least privilege access is applied before providing access to connections, devices, services as well as to the where and when so that the attack surface is reduced while the defenders get a narrower scope of concentration.
The networks today are extremely hostile. They host applications and data that are critical to businesses, which make them the perfect target for cyberattack by hackers who want to hold hostage, destroy, and steal confidential data such as intellectual property and personally identifiable information, as well as financial data for personal gain.
Although there’s no perfect network security, and data breaches cannot be eliminated fully, zero trust can significantly reduce the attack surface and restrict the blast radius, which involves the severity and the impact, of a cyberattack, which decreases the cost and time of responding to as well as cleaning up after a data breach.
The idea behind a zero trust model involves considering all, in or out the network perimeter, as unauthorized without proper verification. This concept is getting a lot of attention from companies that are struggling to stop data breaches through the use of traditional methods.
Companies that would like to use this model must be prepared to jettison methods that are based on the embedded ideas of trusted insiders as well as safe corporate network.
Zero trust was a term that first popped up back in 2010. It referred to a security model where any device and anyone that tries to connect to any network asset is considered as untrustworthy. The model focuses on using device as well as user credentials, instead of network location, as the basis for denying or granting access to the network.
A zero trust model is crucial in stopping attackers from moving about without detection within a network and looking for targets once they have infiltrated the perimeter. Various data breaches took place due to the traditional security controls as well as tools for data leak prevention were not able to identify malicious activities that are being performed by external actors through stolen credentials to move freely. The issue lies in the method used by companies which involves trusting traffic and users implicitly on the internal network while only considering external users as untrusted entities.
There are other issues aside from threat actors. A growing mobile workforce as well as the increasing use of cloud solutions to host services and applications have made it more difficult for many companies to enforce and establish a network perimeter. The old method of gating access to only internal resources through a heavily protected perimeter is no longer effective because of enterprises have become so scattered and the many different ways they can be accessed. With zero trust security, everything is considered as untrusted.
Implementing Zero Trust
It can be challenging to implement zero trust. One of the pioneers in this aspect is Google. It spent six years transitioning from VPN as well as privileged network access to a zero trust network environment. The company also had to restructure and redefine job classifications and roles, create an new master inventory service in order to monitor devices, allow better visibility over the applications, and then overhaul the user access and authentication control policies.
When you want to embark on your journey towards zero trust, you have to remember that nothing can get access to internal resources until they’re verified as trusted. The trust that is assigned cannot rely on whether the users is trying to access an company application inside or outside the network perimeter. Access should be based on what you know regarding the user, which you know about the device, and what it’s trying to access. It should focus on authenticating the users securely, identifying their roles, as well as their access privilege, while being able to identify abnormal device and user behaviour.