Why zero trust could fail due to lack of understanding, not technology
Article by Forescout senior director of systems engineering for Asia Pacific and Japan, Steve Hunter.
A distributed workforce is likely to become standard practice for many organisations beyond COVID-19. With Australian and New Zealand companies recognising this shift, many are eager to engage with the zero trust security model to ‘never trust; always verify’; however, the success of zero trust depends on a clear understanding of how and why it works.
The digital workplace has introduced new areas of potential compromise for networks and enterprises. As a result, security architects are being forced to re-examine the concept of identity, with many turning to a zero trust security model to provide a better architecture for protecting their sensitive resources.
However, the adoption of zero trust is being driven from the top down. This means that, while companies are eager to pursue zero trust, many cybersecurity professionals lack the confidence or knowledge to implement it successfully.
While the zero trust security model has been around explicitly since 2010 and has its roots in discussions on de-perimeterisation from 2004, it was not a concept seeing broad discussion in Australia until recently. Now considered a priority for many organisations, zero trust requires implementors to discard some preconceived notions surrounding cybersecurity models.
Traditional approaches to cybersecurity are not effective in today’s challenging environment. With business disruption at an all-time high and organisations operating in a hybrid environment with cloud-based and on-premises applications and data, many cybersecurity professionals aren’t equipped with a sufficiently thorough understanding of zero trust to confidently implement it in complex IT environments.
Forescout has identified five steps to understanding and successfully implementing zero trust networking for cybersecurity professionals:
1. Identify the total attack surface
Visibility is foundational to being able to manage and control everything on the network. A zero trust approach must initially and continuously discover and classify all entities on the extended enterprise network, not just those that are ‘managed’ or that have endpoint agents installed.
2. Map the data flows
Organisations need to understand how data flows across the extended network and between people, devices and applications.
To effectively understand the data flows, organisations must map the flows to logical, business-relevant groupings of users, devices and applications. Only then can multiple stakeholders, including application developers and business users, apply their expertise to understand what flows should be considered acceptable and which should be investigated further.
3. Construct perimeters and a micro-segmentation strategy
Users can use, abuse, or misuse data. Segmentation requires organisations to define and optimise the transaction path to identify legitimate data use and deny transactions when someone is potentially abusing or misusing data.
Segmentation reduces the potential attack surface by creating perimeters that prevent an attack from affecting the rest of the network—the more granular the segmentation, the smaller the blast radius.
As a result, this leads to increased complexity and cost for the design and operation of segmentation.
4. Continuously monitor and analyse
In a zero trust environment, organisations must monitor the entire IT environment for signs of malicious activity. Logs and data analytics should be used to inspect all internal and external traffic to look for malicious activity and improvement opportunities across the entire ecosystem.
The more granular the segmentation, the better coverage an organisation has for logging boundaries, given these logs can be usefully consumed.
5. Automate and orchestrate responses
Manual security operations are inefficient and can hinder organisations from detecting and responding to breaches in a timely fashion. This leaves data and systems vulnerable and gives bad actors more time to exfiltrate data, causing significant damage to the environment.
Automation helps control, protect, monitor and remediate the network efficiently, and optimises the organisation’s resource allocation.
A zero trust security model addresses modern security challenges that come with a mobile workforce and cloud migration, by applying the concept of ‘never trust; always verify’.
Zero trust reduces a company’s attack surface by assuming that anything with access to their data is a potential threat, including users, devices, virtual infrastructure and cloud assets and segmenting accordingly.
Organisations that genuinely understand how zero trust works will be more likely to reap the significant benefits it offers.