From Zero to One (keep calm and trust no one)
Following up from my previous post, it is clear that the traditional approaches for securing the enterprise networks are becoming less relevant by the day. This is due both to change in threat landscape (insider threats, more sophisticated attacks), the altering enterprise/ IT architecture (now comprising of on-prem, cloud and anything in between) and, perhaps, the factor that has the most significant impact is the shift from “Security-First” IT policies to “Business- First” approach. Running a modern business requires that employees would be able to connect to the enterprise networks from everywhere, and from every device type. It also means that they rely on cloud based-products that aren’t under enterprise supervision.
Zero Trust
Zero Trust, introduced by analyst firm Forrester Research, is an alternative architecture for IT security.
Since the concept was branded in 2010, Google and Gartner followed suit with similar yet different approaches. These are not always coherent (to read more about the nuanced changes between these and the original Zero Trust see here), so I will try to explain and clarify, to the best of my ability, what Zero Trust means and why organizations need to consider this approach seriously.
Traditional security models operate on the (now outdated) assumption that everything inside the perimeter is trusted, but since most security mechanisms are designed to protect the perimeter, threats that get inside the network are relatively left undetected and free to conduct lateral movement as they please.
Zero Trust main principle is “never trust, always verify”. As such, it offers a dramatic departure from traditional thinking- in a sense, it is a philosophy an “ideal” to strive towards – and it requires the organization to change its security mindset (and accept that traditional measure will leave the organization exposed and are insufficient).
It enables greater flexibility; instead of setting in advance a few segments and structuring a deterministic policy, the organization can generate and manage endless micro-segments based on the assets. For each, you can define a dynamic policy, which can be implemented with ease, supporting scale and future growth.
Addressing Lateral movement
Zero Trust is designed, among other things, to address lateral (or “East-west”) movement of threats within the network.
In the past couple of years, the volume of East-west traffic has grown tremendously as a result of virtualization and convergence. Today, network controllers, virtual machines (VMs) and other devices perform various functions and services that previously ran on physical hardware. This is in contrast to the reality of the past where most traffic would have been “North-South” traffic (that describes client-to-server traffic that moves between the data center and a location outside of the data center network, and indeed, the firewall).
The problem is that a Firewall, IPS, etc. never inspect this type of communication. Zero Trust is all about creating visibility and control over the ever-changing network and constant monitoring of these movements.
Among those principles:
- Verify the user - a simple username and password do not prove the identity of a user. It is easy to compromise an identity, so access controls must be strengthened to confirm identity assurance. The Organisation can achieve this using Multi-Factor Authentication (MFA), geo-location and time of connection (contextual), anomaly detection and ensuring devices are secured as required.
- Per device security – organizations need to support isolate, secure, and control over every device on the network at all times. This enables the blocking of any devices, such as a workstation, IoT device, etc. that is infected from accessing corporate data and assets.
- Data security – Not surprising it is all about the data. The organization needs to be able to classify and manage the data distributed across devices, SaaS applications, database, etc. regardless of the data location. This includes among others - encryption of stored data and transferred data and utilizing an advance Data Leak Prevention (DLP).
Oh, there’s that cloud thing…
If addressing east-west traffic wasn’t tricky enough, organizations now are faced with a challenging reality of managing unified security for on-prem and cloud application and infrastructure. Zero Trust is aimed at facilitating this since it brings the security closer to the application workloads by:
- Identify and validate both side of application communication in the environment
- Defining security policies in terms of identities of the communication application
- Deploying according to the dynamic environment regardless of the infrastructure
It is important to note that Zero Trust doesn’t mean you never trust. It means you trust based on the verified identities of the entities and transactions themselves. Verifying identity with Zero Trust means every time communication on the network is requested, the fingerprint of the system and workload must be validated.
The Challenge? - Easier said than implemented
One word about adopting Zero Trust. It is a process involving multiple stakeholders.
It might help generate a win-win scenario between the DevOps and the security teams, which would result in a great win for the organization. However, it is a process and requires work.
To implement Zero Trust:
- Identify your assets
- Analyze the flow of data to establish a baseline
- Apply protection as close of the assets as possible taking into account – users, devices, workloads and data stores.
- Apply automated monitoring and adjustments – automation is vital!
Not everything needs to happen at once. It needs to be driven by the business and security needs. As this field is a “hot” topic, it is easy to access comprehensive” how-to-guides”. They can discuss and consult with the numerous vendors out there offering a solution such as Luminate (recently acquired by Symantec), EDGEWISE, Perimeter81, Guardicore, and others. I will be amiss if not mention we @ Check Point also are providing a comprehensive solution (see Link).
Zero Trust is using the latest technology to increase security to the modern agile business. Gain more control, reduce breach risk and increase agility, and even achieve greater compliance. It is not for everyone, and it is not a silver bullet solving all security challenges, but it is a security concept you definitely need to explore.
Keep Safe!
Dotan
Government Project Management Team
5 年There always water flash between Apps and security. But the question is what is the source of that flash? !!!!?
Map it, build it, use it. Improve it NOTE: Posts, reposts, likes, and other actions on this account are endorsed by me and not any organization or entity associated with me.
5 年When some of my peers hear me say zero trust, there's nervous laughter or stoicism... like, "her doesn't mean men, does he?"
? Sales Account Executive for Large Enterprises @ Zscaler ?
5 年Very nice approach!!! I like
Sr. Identity GTM Specialist @ AWS
5 年Dotan, great article, enjoyed reading it.??
Rare Dad ? Entrepreneur (x2 exits) ? Mentor ? Creating and Scaling SaaS Platforms ? Skilled in UX, Growth Strategies, Brand, and GTM motion
5 年Nice article :) ??????