Wednesday, 12th August 2020

Zero Trust – security in times of agility

The COVID-19 pandemic has forced businesses into operating under a “new norm” where the working from home (WFH) model has quickly become the recommended and preferred approach. Indeed, the COVID-19 pandemic is forcing organizations to transform how they conduct business, albeit in a very rapid way. By Shehzad Merchant, Chief Technology Officer at Gigamon.

Digital transformation initiatives that were already in motion are being rapidly accelerated to accommodate the new norm. In the face of such a dramatic shift, already stretched IT and Infosec teams are being placed under considerable amounts of pressure to manage, monitor and secure their infrastructure, data and applications, ensuring business performance and productivity is not impacted.

Making matters worse is the fact that bad actors are fully taking advantage of the situation by preying on unsuspecting user’s need for information, their fears and emotions, to rapidly stand up phishing campaigns, malicious websites and attachments that ultimately aim to compromise the user’s systems. The end game in many cases being credential compromise. Many organizations accord more trust to users on the Intranet versus users on the Internet. Consequently users working from home, unknowingly browsing potentially malicious websites, clicking on doctored COVID maps which download malware as an example, are using those very laptops and systems to VPN into the corporate network and from there are granted a much wider degree of latitude in terms of their access to different resources. Once a user’s credentials are compromised this implicit trust associated with a user’s locality of access from the “Intranet” can then be take advantage of to spread malware laterally within the organization leading significant impact. It is clear, therefore, that it’s no longer possible to tackle security with a dual, internet versus intranet approach, where assets within the network perimeter are considered safe.

A good way to navigate this minefield and secure an organisation is to assume that everything is suspect and adopt a Zero Trust approach. Zero Trust aims to eliminate implicit trust associated with the locality of user access, for example users on the Intranet versus the Internet, and moves the focus of security to applications, devices, and users.

Here are a few key points to bear in mind when embarking on a Zero Trust journey:

Zero Trust is a journey, not a product

What’s truly important to understand about Zero Trust is that it isn’t a product or a tool. Zero Trust is a framework, an approach to managing IT and network operations that helps drive protection and prevent security breaches. Zero Trust aims to have a consistent approach to security, independent of whether a user is accessing data and applications from the Intranet or the Internet. In striving for this, ZT actually attempts to simplify security by eliminating the need for separate frameworks, separate tools and separate policies for security based on locality of access – as an example having a dedicated VPN infrastructure for remote access. And ensuring that users have a consistent experience independent of the where they are working from. By putting the emphasis on applications, users and devices, i.e. assets, and eliminating implicit trust associated with internal networks, Zero Trust essentially aims to reduce the overhead associated with managing different security infrastructures associated today with external vs internal boundaries. Zero Trust aims to accomplish this by requiring a comprehensive policy framework for authentication and access control of all assets.

Visibility is the cornerstone for Zero Trust

The key to implementing Zero Trust is to build insight into all assets (applications, devices, users) and their interactions. This is essential in order to define and implement a comprehensive authentication and access control policy. A big challenge today that security teams face is that access control policies tend to be too loose or permissive or tied to network segments rather than assets, thereby making it easier for bad actors to move laterally within an organization. By putting the emphasis on assets and building out an asset map, policy creation and enforcement can be simplified. And because the policies are tied to assets and not network segments, the same set of policies can be used regardless of where a user is accessing data and applications from.

Discovery of assets can be achieved in many ways. One excellent approach to asset mapping and discovery is to leverage metadata that can be extracted from network traffic. Network traffic makes it possible to discover and enumerate assets that potentially may be missed through other mechanisms. Legacy applications as well as modern applications built using microservices, connected devices and users, can all be discovered through network traffic visibility, their interactions mapped, thereby facilitating building an asset map baseline. Having such a baseline is critical to building the right policy model for authentication and access control.

Encrypt Everything

While authentication and access control are essential in the world of Zero trust, so is privacy. Authentication ensures that end points of a conversation know who is at the other end. Access control ensures only the permitted assets can be accessed by the user. However, it is still possible for a bad actor to “snoop” on valid communication and through that get access to sensitive information including passwords as well as confidential data. An area of implicit trust today in many organizations is that communication on the “Intranet” tends to be in clear text for many applications. And this is a mistake. We should not assume that communications on the company’s internal network is secure simply by virtue of being the company’s network. When carrying out any transactions on the Internet we use “https” which among other things encrypts the data. Communication on the Intranet should be no different. We should work under the assumption that bad actors already have a footprint on our company’s network. Consequently, any communication between users, devices and applications should be encrypted to ensure privacy. This is yet another step to ensuring that a consistent security framework can be used for users on the Internet and on the Intranet.

Of course, encrypting all traffic on a company’s network makes it harder to troubleshoot application problems and network issues, as well as makes it harder for security teams to identify threats or malicious activity. Additionally, in specific verticals this can make compliance a challenge due to the inability to keep activity logs of specific required activity. For this reason, leveraging a network-based solution for targeted network traffic decryption may be beneficial when moving towards a model where all traffic on the Intranet is encrypted.

Implement a continuous monitoring strategy

Corporate networks are not static. They are continuously evolving with new users, devices, applications coming up, and old ones being deprecated. In these times where capacity is dynamically scaled up and down, new applications are being quickly brought to market, more IT and OT devices are coming online, the network has never been more dynamic. Cloud migration is further changing the very nature of network and the notion of what is “internal” vs “external” in a very dynamic way. Putting in place a framework for authentication, access control and encryption is half the solution. The other half is putting in place a continuous monitoring strategy to detect changes and to ensure that either the changes are compliant with the policy or the policy evolves to accommodate the changes. Monitoring network traffic provides a non-intrusive and yet reliable approach to detecting changes as well as identifying anomalies. Network-based monitoring can be used in conjunction with endpoint monitoring so as to get a more complete view. In many situations network-based monitoring can be used to surface out applications and devices where endpoint monitoring has been turned off either inadvertently or maliciously, or where endpoint monitoring cannot be implemented. Once bad actors get a footprint on a system they typically attempt to turn off or workaround endpoint monitoring agents. Monitoring network traffic provides a consistent and reliable stream of telemetry data in many of these scenarios for threat detection and compliance.

As organizations are being forced to rotate rapidly towards a work-from-home paradigm, the need to rapidly scale applications and infrastructure for this new paradigm will continue to put stress on different teams within the organization. Even as we look to the future with perhaps this pandemic passing by, some of these changes will become permanent. In other words, in many cases there may not be a “going back to how it used to be”. Embracing the move to a Zero Trust framework will help ensure that as organization transform to a new normal, security continues to keep pace and serves as an umbrella of protection within which agility and innovation thrive.

By Joseph Carson, chief security scientist at Thycotic.
By Miles Tappin, Vice President, EMEA at ThreatConnect.
By Dan Schiappa, Executive Vice President and Chief Product Officer, Sophos.
By Jesper Frederiksen, VP and GM EMEA at Okta.
By Keith Banham, mainframe R&D manager at Macro 4, a division of UNICOM Global.
By Mikkel Stegmann, Principal Scientist at Fingerprints.