John Stock, product manager, Outpost24, discusses how organisations can improve security by implementing zero-trust models.
In the recently released Verizon Data Breach Investigations Report, it was revealed that 34 percent of breaches in 2018 involved insiders. This is a significant number and while it is hard to tell if the insiders were acting maliciously or unintentionally, it does show the damage unmonitored employees can create.
As a result, it is important that all employees are treated as a possible security threat as this can help organisations detect ambiguous events much faster and before any real damage occurs. To help achieve this, many of today’s leading organisations are applying zero-trust models across their users and devices to help strengthen their overall security posture, a concern which has only increased where companies have embraced the concept of ‘Bring Your Own Device’ (BYOD).
A zero-trust model essentially means organisations are ensuring that every new network device or user passes a trustworthy test before they can be allowed access to the network, which inherently reduces the risk of breach in the first place and reduces the risk of any successful breach going undetected. It essentially banishes the trust as a ‘by default’ concept and demands trust be earned by users and devices before it is given.
If an organisation is validating every device, verifying every user and enforcing granular access permissions to determine the who, what and how of data access, they will then start to win the battle against threat actors both inside and out of their perimeter.
If an organisation thinks about all its assets as being external and internet facing, it becomes clear that all assets will require appropriate levels of security scanning before they can be considered trustworthy. The real beauty of this strategy is, the organisation has no inherent trust in anything, security controls can be focused where they can provide the greatest benefit to the organisation.
This saves businesses time, money and improves the overall security posture; and that’s the zero-trust win-win in a nutshell.
So, considering all the benefits, how can an organisation go about effectively implementing a zero-trust model within its environments?
Also of interest: What’s the big deal about zero trust?
Implementing a zero-trust strategy
There is a common misconception that zero-trust is both costly and complex to implement effectively across an organisation. While this was, indeed, the case in the past it is becoming much easier, and cheaper today.
When an organisation decides to implement a zero-trust strategy they must first identify which environments they intent applying it to; is it just on-premise assets or do they want to apply it in the cloud as well? One this has been decided, it is important to focus the zero-trust model on three main concepts:
You can’t protect what you cannot see, and a zero-trust strategy demands visibility into business assets from the perspective of what data you have and how sensitive it is, who (and what) uses that data and when, along with where the potential security risk sits.
Visibility needs to be end-to-end, across the entire network, and ideally viewed from a single pane of glass perspective. Without such visibility you cannot effectively operate in a whitelist, trusted only, mode: visibility brings knowledge of what is plugged into the network (devices and users alike) and confidence in contextualizing that activity.
Because the operational demands of the business will constantly change, a zero-trust strategy demands a dynamic approach to policy configuration. This alone makes the process something that is best handled automatically rather than manually, otherwise time pressures will inevitably lead to errors and negate the whole point of zero-trust in the first place.
An automatic, intelligence-led, solution can effectively produce a meaningful risk analysis of every new device, application and traffic flow in order to only trust those where no potential issues (in terms of security vulnerability or compliance violation) are identified.
This is where point one and two merge, because without visibility and automation you are unlikely to successfully enforce the kind of ‘micro-perimeter’ segmentation that is required, where the access controls are as close to the protected assets as you can get them, given that this will change when application requirements change for example.
By getting these core concepts delivered, the zero-trust model can make significant ground in transforming how an organisation manages its security, reduces the risk of data breach while at the same time aligning with its operational business needs and helping save money.