In a risk landscape as complex as today’s, the Zero Trust approach is critical for businesses, but it won’t happen overnight. While the technologies that support Zero Trust are moving into the mainstream, the security strategy could fail due to a lack of understanding.
Never trust, always verify. Zero Trust is an essential component of any organisation’s security plan. Be it inside or outside the firewall, on the endpoint, the server, or in the cloud in the complex cybersecurity landscape, where sophisticated attacks are the norm.
The Zero Trust Network, or Zero Trust Architecture, model was created in 2010 by John Kindervag, a principal analyst at Forrester Research Inc at that time.
Now, a decade later, CIOs, CISOs and other corporate executives are increasingly implementing Zero Trust as the technologies that support it move into the mainstream, and as the pressure to protect enterprise systems and data grows significantly.
“A Zero Trust strategy will be top of mind for many organisations because its principles — verify explicitly, grant least privileged access, and assume breach — help maintain security amid the IT complexity,” Vasu Jakkal Corporate Vice President, Security, Compliance and Identity, Microsoft, wrote in a post earlier in May.
Why Zero Trust? Consider these statistics:
According to the World Economic Forum Global Risks Report 2020, cyberattacks rank first among global human-caused risks and Cybersecurity Ventures predicts that by 2021 cybercrime will cost the world $11.4 million each minute.
The 2020 Cost of a Data Breach IBM Report found the average total cost of a data breach is $3.86 million.
Trend Micro blocked more than 32 million threats in the UAE during 2020Gartner forecasts that over the next five years, the Secure Access Service Edge market will grow at a CAGR of 42 per cent, reaching almost $11 billion by 2024.
In addition, Gartner predicts that spending on Cloud Access Security Broker (CASB) solutions will grow 40.7 per cent in 2021, 36.7 per cent in 2022 and 33.2 per cent in 2023, outpacing all other information security markets.
Of late, a number of security vendors have assembled strong approaches to Zero Trust security, taking a substantial early lead over standalone solutions.
In April, to address challenges related to security, including cloud access, discovery, monitoring, data protection, policy enforcement and compliance in the Middle East, CyberKnight partnered with Lookout, an integrated endpoint-to-cloud security company to distribute its products in Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and the United Arab Emirates. The Lookout Secure Access Service Edge (SASE) solution delivers the market’s leading approach to integrated Mobile Endpoint Security, Zero Trust Network Access (ZTNA), and Cloud Access Security Broker (CASB).
Also recently, Onclave Networks, a provider in securing operational technology (OT/IoT) through private networks, partnered with Loko AI to deliver Zero Trust to their higher levels of data security and network protection initiatives. Loko AI launched Caretaker, a real-time autonomous surveillance platform that makes video management systems obsolete. “Our network protection platform is designed from the ground up and built with Zero Trust in mind. We start with a closed, secure network and go beyond just detection with continuous real-time monitoring, isolation and containment capabilities to prevent data breaches,” said Don Stroberg, CEO of Onclave.
For security operation centres to achieve Zero Trust access visibility, Vectra AI with Zscaler Private Access will be providing end-to-end access visibility and protection from remote workers to business-critical applications.
To meet the Zero Trust security challenge head-on, in 2018, Cisco took over Duo Security, an identity and access management leader, adding to its ever-expanding security portfolio. Combined with Tetration micro- segmentation technology and SD-Access policy and network access solution, Cisco is a leader in the Zero Trust security market. In 2019, Palo Alto Networks acquisitions of Twistlock, RedLock, PureSec and CloudGeni extended its security offerings into the cloud, containers and SD-WAN.
Also, Unisys Stealth, leveraging its work in high-security government agencies, created a platform that includes what Forrester called “one of the few real applications of actual machine learning that we’ve seen in production in any security analytics or automation system.” The Stealth software suite offers visibility, micro segmentation, identity, cloud and mobile support, and services.
Even Symantec has assembled a comprehensive portfolio of Zero Trust offerings.
In May, Microsoft announced passwordless authentication and Temporary Access Pass in Azure Active Directory (Azure AD), its cloud identity solution, to help customers strengthen their access controls and simplify the user experience.
There’s no dearth of Zero Trust offerings, however, the success of Zero Trust depends on a clear understanding of how and why it works. It involves thinking beyond perimeter security and moving to a more holistic security approach. To introduce it, an organisation needs to implement controls and technologies across all foundational elements, such as devices, applications, data, infrastructure, and networks.
Some of the important strategies to adopt include:
Identify the total attack surface
Visibility is foundational to being able to manage and control everything on the network. A Zero Trust approach must initially and continuously discover and classify all entities on the extended enterprise network, not just those that are “managed” or that have endpoint agents installed.
As Bret Arsenault, Microsoft’s CISO said, “Hackers don’t break in. They log in.” Incorporating multi-factor authentication or continuous authentication into identity management strategy can substantially improve organisation’s information security posture. Zero Trust will only work if it is transparent to the end-user. For example, the endpoint can be one of the factors for multi-factor authentication. BitLocker helps businesses to protect data. It has several enhancements, such as comprehensive modern management, role-based access controls for recovery passwords, recovery password search, and recovery password auditing.
Segment your corporate network
Segmenting networks and conducting deeper in-network micro-segmentation is important for Zero Trust because in a mobile- and cloud-first world, all business-critical data is accessed over network infrastructure. Networking controls provide critical functionality to enhance visibility and help prevent attackers from moving laterally across the network.
Secure your devices
The same security policies are applied whether the device is corporately owned or a personally owned phone or tablet, also called a “bring your own device” (BYOD). Corporate, contractor, partner, and guest devices are treated the same whether the device is fully managed by IT or only the apps and data are secured. And this is true whether these endpoints — smartphone, tablet, wearable, or IoT device — are connected using the secure corporate network, home broadband, or public internet.
Segment your applications
Finding the right balance between providing access and maintaining control to ensure that apps, and the data they contain, are protected will help an organisation benefit fully from cloud apps and services. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behaviour, restrict user actions, and validate secure configuration options.
Map the data flows
Organisations need to understand how data flows across the extended network and between people, devices and applications. They must map the flows to logical, business-relevant groupings of users, devices and applications. Only then can multiple stakeholders, including application developers and business users, apply their expertise to understand what flows should be considered acceptable and which should be investigated further.
Earlier in May, Microsoft introduced new conditional launch settings with App Protection Policies in Microsoft Endpoint Manager. These controls can block access or wipe data based on conditions such as maximum OS version, jailbroken or rooted devices, or require Android devices to pass SafetyNet attestation.
With business disruption at an all-time high and organisations operating in a hybrid environment with cloud-based and on-premises applications and data, it’s critical for organisations to have a thorough understanding of Zero Trust to confidently implement it in complex IT environments.