Zero Trust has long been the logical successor to the moat / castle perimeter security model, which has not worked very well to protect businesses from cyber attacks and becomes increasingly obsolete as employees become more mobile and as applications migrate to the cloud.
But adoption of the zero trust model, created by former Forrester analyst John Kindervag over a decade ago, has been slow in part because of aversion to change and fears that the replacement of security of the perimeter by something new that is risky, complex and expensive.
That all changed when the pandemic struck, company offices emptied and millions of workers suddenly found themselves working from home. IT managers rushed to move apps to the cloud to make them more accessible to their remote workforce. Then, they strived to secure those edge connections with methodologies consistent with the zero-trust architecture, such as multi-factor authentication, access controls, and Secure Access Service Edge (SASE), a service cloud-based solution that combines connectivity and security.
Indeed, companies had “inadvertently” started their journey of zero trust, says Forrester analyst Steve Turner. “We see a lot of the same customers coming back and saying, where else can I go without trust? They realize that there are many solutions that present themselves as zero trust. They want to eliminate the noise and understand what the next steps look like. “
Here are the five steps that will ensure your zero trust journey stays on track and delivers value to the business.
Step One: Know What Zero Confidence Really Means
Some of the confusion associated with the term zero trust stems from the use of the word “trust”. As Kindervag, currently senior vice president of cybersecurity strategy at managed security service provider ON2IT, says, “Zero trust is just the idea that trust is the thing that we need to eliminate. Trust is a human emotion that has been injected into digital systems for no reason. Zero Trust is a strategic initiative that helps prevent successful data breaches by removing trust from your organization. He is rooted in the principle of never trusting, always checking.
For example, everyone in the company knows John and everyone loves and trusts John. Packets are entering the network from a device assigned to John, but how do we know it’s John and not a hacker? The zero trust model just says that the claim that it is John needs to be checked and verified. Organizations should create policies designed to confirm John’s identity, control what resources John can assess, prevent John from taking actions outside of the policy, and monitor and log all of John’s activities.
Concretely, this means not only going beyond passwords to multi-factor authentication, but also considering how to verify the device itself, its location and behavior, as the following points confirm.
Step 2: Identify what you want to protect
The goal of zero trust is to protect the business from the financial, regulatory and reputational consequences of data breaches. So the first step is to figure out what you need to protect.
This could be customer data, employee data, financial data, intellectual property, business process data, data generated by IoT devices, application data, or a service such as DNS. or Active Directory. “Focus on business results,” Kindervag explains. “If you don’t know your business needs, you will fail. “
Once you know what data needs to be protected and have identified where it is, the principles of zero trust take over. This means establishing policies that only allow access when needed and inspecting all traffic to and from protected data.
Having security policies in place to protect against the exfiltration of sensitive data is of critical importance as it prevents hackers from establishing command and control, effectively blocking many types of attacks, including ransomware exploits.
Kris Burkhardt, CISO at Accenture, explains that his company has been on a zero-trust trajectory for 20 years, dating back to the company’s decision to put many of its applications in the cloud so that they are more easily accessible by its workforce. very mobile work. Rather than deploying VPNs, which were expensive at the time, Accenture allowed employees to connect to the public Internet through a simple browser, but deployed endpoint protection, multi-factor authentication, security controls. identity and access, as well as microsegmentation.
The company treats critical information systems with special care, including additional monitoring, privileged access management, and even requiring two people to perform certain actions, says Burkhardt.
Step 3: Design the network from the inside to the outside
The perimeter security model is based on the idea that there is an interior (head office) where everyone can be trusted, and an unreliable exterior, which is protected by firewalls and other tools. of security. The zero trust model eliminates the distinction between inside and outside and replaces it with network segments created for specific purposes. For example, Kindervag suggests that businesses might want to start with a single stream of data, such as credit card data.
Burkhardt says microsegmentation is one area where “you can get in trouble if you overcomplicate it”, but he points out that “tooling is moving quickly in a good way to make it easier.” The important thing is to have a clear microsegmentation strategy and to execute it correctly, both on-premises and in the cloud.
Some of the classic segmentation approaches, he said, would be to create a microsegment for disaster recovery, separate the data center from the desktop applications, and create a segment for the DMZ where connections to the internet are managed.
Step 4: Record all traffic
Kindervag says inspecting and logging all traffic is an important part of a zero trust architecture. Real-time analysis of traffic logs can help identify cyber attacks. Kindervag adds that the rich telemetry that is collected can help create a feedback loop that strengthens the network over time.
Burkhardt says that Accenture sends its traffic logs to Splunk for a variety of analyzes, including threat search queries, identifying whether pre-defined conditions indicating an attack or someone taking an incorrect action in error have occurred, and detecting when an attacker is present in the environment. Analyzing endpoint logs can track any actions the attacker may have taken and “help you legally understand what happened.”
Step 5: Make a Long-Term Commitment, But Take Those First Steps
Zero confidence is “a continuous journey,” says Burkhardt. Choose a small system to use as a test case and make sure that all controls, logging, and monitoring are in place. “There is no reason to go through it. Make it very small. Then make it big. “
Kindervag adds, “Focus on protecting the keys to the kingdom, the crown jewels. Do it gradually and in a non-destructive way.
At Accenture, even though the company was operating on zero trust principles even before the term was coined, there is always more work to be done. Burkhardt says the focus is on the cloud these days. With application development taking place in the cloud, applications migrating to the cloud and more data than ever stored in the cloud, Burkhardt “stays on top of new cloud vendor offerings” aimed at applying the principles of zero trust. .
His recommendation to other CISOs is to understand that the security landscape has changed over the past few years. Think nation-state attacks, SolarWinds, ransomware. The status quo is no longer enough.
“The teams know the world is changing and they have to change with it. It can be scary, but the best thing you can do is embrace the change, understand that the perimeter model has had its value for many years, but zero trust is much more flexible and it is the only way to succeed in the public cloud. “
Copyright © 2021 IDG Communications, Inc.Source link