What is Zero Trust and How do you Achieve it?
According to McAfee Lab’s Threat Report, nearly 500 new cyber threats emerged every minute in Q4 of last year. With today’s increasingly risky cyber environment, how do you know which devices, applications and users you can trust?
The Zero Trust approach, which originated out of Forrester Research nearly a decade ago, believes that organizations should not assume that anything inside or outside their network perimeter can be trusted. However, when the approach was originally developed, the focus was largely on security risks outside of company walls, leading organizations to deploy firewalls in an attempt to keep the bad guys out.
The traditional thinking for many years was that everything inside the firewall was trustworthy – the network, employees, devices — while everything on the outside was suspect. But, today this frame of mind leaves organizations with a false sense of security.
An Open Door for Attackers
With countless devices connected to your business and your networked systems connected to the internet, attackers have open doors at their fingertips. Time and time again, we see data breaches made possible by an attacker gaining access to a firewall or other vulnerable entry point. For example, many headline-worthy hacks on industrial control systems has involved a multi-stage attack, with attackers leveraging the weakest link. We first saw this during the cyber-attack on the Ukraine power companies, with attackers accessing a corporate network to work their way into the SCADA network.
Whether you’re responsible for critical services powered by industrial control systems or for behind-the-scenes networking at a medium-sized enterprise, our hyper-connected way of doing business today makes it increasingly difficult to trust anyone or anything.
The Need to Evolve Zero Trust
The reality is that cybersecurity work is never done. It’s time to do away with the “inside is good, outside is bad” mentality and instead focus on more specific decisions based on who or what is trying to gain access and whether they should be allowed to do something with the information. These types of granular controls have been available for years in operating systems and devices, but trying to combine privileges and controls can quickly become complex, particularly with the fast pace of business operations.
If you accept the fact that most networks will eventually get hacked, due to the increased connectedness and complexity of business operations, embracing Zero Trust is a great way to limit the damage — if you evolve the original definition.
Segmentation Boosts Network Defense
Segmentation is a must-have element to a Zero Trust approach, limiting the risk that comes with access and limiting access to the portions of information you can control. In industrial, government or enterprise settings, many systems were never designed with security in mind, but are now connected to public networks to boost convenience and productivity. But, they simply can’t withstand that type of exposure, leaving them poorly defended
When embarking upon Zero Trust, shifting to a network segmentation philosophy has the quickest impact and the highest payoff, allowing you to protect systems in which security wasn’t traditionally a requirement.
Here are four ways to get started:
Don’t bite off more than you can chew. Segmentation doesn’t need to be a massive undertaking. Start with three to five operational networks that shouldn’t be talking with each other — only to themselves. By segmenting that part of the business, you significantly reduce potential attack vectors that could then run amuck across your entire network.
Shop around. Segmentation with SDNs, for example, are an attractive option. Implemented on the cloud or within data centers, you gain operating system-level control, while providing easier management and control access at the network level.
Protect your organization’s productivity. Segmentation shouldn’t impact productivity in order to enhance security. IoT and IIoT should be able to deliver on its economic imperative in terms of connectedness, insight and productivity, and systems should be protected without impacting day-to-day operations. Your employees, customers and partners should still have secure connectivity wherever and whenever it is needed.
Ditch the complexity. It’s easy to deny there’s a security problem until it’s absolutely essential to make a change. A breach can do just that, causing organizations to look for the quickest way to remediate risk. But, that doesn’t mean the answer has to be complex. Segmentation should give you the peace of mind that your most critical infrastructure is secure without requiring network configuration changes, significant IT management oversight or dependence on external network infrastructure.
There is no one magic solution to achieving Zero Trust. The approach continues to evolve, as do the cyber-attacks that make Zero Trust so important. By taking advantage of segmentation, you can trust that you are taking critical steps needed to protect your infrastructure today from the looming threats of tomorrow.