Is the network perimeter dead, or just distributed?
In the earliest days of digital networking, organizations used firewalls as a boundary wall between an organization and the outside risks posed by the internet. It was a security framework that worked well at first — so well, in fact, that the perimeter-first ideology has persisted even to this day, despite the evidence that this approach is no longer effective in modern-day business technology.
"Instead of thinking of the perimeter as one type of access control around the “edge” of the network, think of the perimeter as any place where you make an access control decision."
In today's business network, there is no longer a clear "edge" between outside threats and internal assets. Rather, access is happening in many places distributed within — and outside of — the traditional network perimeter thanks to new technology, BYOD trends, remote endpoints, and more.
The flaws in perimeter-based security hinge on the idea that everyone and every device "inside" (or accessing) the corporate network has been properly cleared for access and therefore can be trusted. Today, it is no longer adequate to trust that those inside the “castle” (the perimeter) have crossed the “moat” (most likely firewalls) through trusted authentication unless new methods of authentication and verification are put in place.
John Kindervag, former senior analyst at Forrester, identified these flaws in the process of coining the "Zero Trust" concept and terminology in 2009.
“Trust is always a vulnerability in a digital system."
— John Kindervag
What is Zero Trust?
Introduced as a security concept back in 2009, Zero Trust is in the limelight today as it has both become more achievable for the average organization and increasingly necessary to adopt.
In simple terms, Zero Trust means to assume that every part of your network is potentially hostile, as if it were directly on the internet, and treat access requests accordingly. Another way to think of Zero Trust in concept, as Kindervag himself put it, is "Always Verify".
Don't be fooled as the buzzword usage increases, Zero Trust is not a "thing" — not a tool or a new technology — it is an ideology. More than that, Zero Trust is becoming the basis for a modern cybersecurity infrastructure strategy.
As technology providers rush to sell a Zero Trust solution, remember that Zero Trust is less about the technology or tools and more about how you configure them.
What are the elements of a Zero Trust approach?
The classic approach to securing corporate resources assumed a few things:
- Every endpoint being used to access resources was owned, issued, and managed by the enterprise
- All users, devices, and applications were in fixed and predictable locations, usually on a corporate network behind a firewall
- One method of verification at the point of initial access was sufficient
- Corporate-managed systems with the same classification could all inherently trust one another
In this old methodology, attackers that make it past one verification point (such as a firewall or a user login) can exploit inherent trust and move laterally within the environment to target sensitive data. We can no longer assume that “internal” entities are trustworthy, that they can be directly managed to reduce security risk, or that authenticating one time at entry is enough. (CISCO DUO)
In a Zero Trust security strategy, you must incorporate the following goals through intelligent infrastructure design and updated configurations:
Minimize business risk and protect your critical assets by limiting access. You can do this by role, or more specifically by a "need-to-know" basis. This is called the Principle of Least Privilege, meaning to assign users and devices the lowest amount of privileged access necessary to complete their work and only escalating privileged access when absolutely necessary.
Re-establishing trust through consistent authentication, even laterally throughout your environment, needs to be part of your new normal. Users, devices, and applications must be authenticated. A low-disruption MFA solution can be part of this configuration to maximize authentication security while minimizing impact on employees' day-to-day tasks.
Take up the assumed breach mentality and make visibility a priority. By enhancing visibility into device and user activities, you can increase your chances of catching a breach through lateral movement or unusual behaviors with the help of detection & response intelligence.
Need some help?
Adapting Zero Trust shouldn't require complete reinvention of your infrastructure. The most successful solutions should either layer on top of and support your environment, or integrate into your environment without entirely replacing your existing investments. Not sure how to make that happen for your organization? Reach out to our experts to learn how we can help.