No need to belabour the point. We all know that trying to defend the network perimeter is a bit futile in today’s mobile and cloud first world. So, the obvious question – what’s next?
Vendors are quick to come to your aid with their latest, next generation, virtualized, machine learning and AI based security platform. Industry analysts on the other hand are proposing various security frameworks and approaches for reducing risk. Whether it’s Gartner with its Continuous Adaptive Risk and Trust Assessment (CARTA) or Forester with its Zero Trust security approach.
The good news for defenders is that there are plenty of frameworks and options to help reduce risk. As a bonus, most are based on basic security 101 wisdom such as default deny, or least privilege, or contextual security controls, but with a new twist.
Today we are going to focus on Zero Trust. And not the RSA Conference vendor exhibition version of “Do you have a second so I can show you our Zero Trust firewall/anti-virus/etc.?” This is more about the Zero Trust security model evangelized by various Forrester analysts. I will assume you already know what the model is all about, or if not, go catch up on some of the work done by analyst Chase Cunningham.
This article is more about how to get from where you are today to a Zero Trust security posture. As with most things worthwhile, they don’t happen overnight. Zero Trust is a journey. But if you don’t start, you are never going to finish. In this article, we will share five best practices businesses should think about when moving towards a Zero Trust security model.
1. Provide users only access to apps and not the entire network
Most legacy remote access tech such as VPNs aren’t really capable of dealing with today’s perimeter-less world. Access to specific applications based on entitlement, user identity, device posture, authentication, and authorization is essential to moving towards a Zero Trust security model.
This approach reduces risk from lateral movement as full network access is never offered. As a bonus, it also can provide a better user experience, increases workforce productivity and reduces IT helpdesk tickets. We have also seen that organizations that have adopted Zero Trust architectures have found that it lowers the hours spent updating firewall rules and maintaining hardware and software. And, as with all good security controls, it provides visibility and insights on who is accessing what apps and where data is going.
2. Isolate your network infrastructure from the public Internet
What’s the old adage? You can’t attack what you can’t see? Exposing internal apps and access infrastructure on the Internet is asking for trouble. Take your pick from DDoS, SQL injection, and other application layer attacks. Hackers are getting crafty and using modern techniques to scan enterprise network infrastructure to discover exposed applications and valuable data.
Application and access infrastructure must be isolated from the Internet with no public exposure so that it cannot be targeted by malicious actors using open ports. If hackers cannot find the network and determine which applications and services are running, they often struggle to attack it.
3. Protect corporate apps from application-layer attacks
We all know targeted attacks are on the rise. Attackers are using information learned from social media to target users within a specific organization. They have done their reconnaissance to learn about what apps you might have access to and then design application layer attacks for a particular vulnerable app. In many cases, targeted users’ devices are being pwnd and used as a pivot point to execute attacks on corporate apps in a supposedly safe behind-the-firewall environment. As Game of Thrones fans have learned – walls don’t work and neither do perimeter-based security architectures.
4. Put Identity, authentication, and authorization in place before providing access to users
Just to state the obvious, weak credentials (admin/admin anyone?) and reuse of passwords across multiple apps significantly increase an enterprise’s attack surface and risk. Multi-Factor Authentication (MFA) can help and is a no brainer at this point. Once the user is authenticated and authorized through MFA, Single Sign-On (SSO) can help users to log in with a single set of credentials to all apps, without needing to re-authenticate each time or getting sidetracked by syncing issues. Another plus is that SSO becomes a single control point for all the apps you control in your environment.
Making continuous access decisions on a multitude of signals, plus adding MFA and SSO across laaS, on-premises, and SaaS applications enables stronger authentication, which ultimately contributes to reducing risk. As a bonus, not only are we improving security posture and visibility, but also improving end-user experience at the same time.
5. Monitor Internet-bound traffic and mitigate malware and phishing
But it’s not just about keeping an eye on apps you control. What about all the apps and destinations you don’t control? Start with visibility into Internet bound traffic. The easiest way to do that is by using recursive DNS. DNS is an often-overlooked security control by most enterprises. Security controls should analyze all DNS requests coming from company devices or networks — including laptops and Internet of Things (IoT) devices — to ensure that they are not headed for malicious or unacceptable sites. Make sure to monitor and analyze traffic behavior for signs of suspicious activities such as communication with a command and control (CnC) server or data exfiltration, and alert/deny accordingly. The good news is that DNS lookups happens before traffic even gets to your corporate environment significantly reducing the cycles spend on malware and phishing remediation.
Bottom line, as with all security and IT projects find an easy, early win. Start your Zero Trust journey with a specific use case, app or user population. That way, you can show some success to gain valuable experience, make your internal selling so much easier and prove out any new architectures or technologies. The five areas outlined above should help. But remember, as with most things worthwhile, they don’t happen overnight. It is the same with building a Zero Trust security model. It is a journey.