While the approach of Zero Trust may become a reality to some organisations over the course of 2022, for most organisations it will mostly exist as an aspiration. Others will claim success simply by applying a few of the many principles of Zero Trust in practice. That said, it will undoubtedly be a slow journey to get there.
What is Zero Trust and why do we need it?
The theory behind Zero Trust fundamentally changes how we perceive threats. Conventionally, we perceived bad actors as being on the external side of the network (the untrusted side) and viewed everyone sitting on the inside (the trusted side) to be both known and therefore trusted.
In today’s cybersecurity climate, this a dated mindset. Unfortunately, it’s still the status quo for many organisations. This thinking goes back in time to the days where clear perimeters existed, and the only way into the network was through tightly controlled channels. And even those “tightly controlled” channels were not always secure or even the only way in.
See how Skybox Security can help you with Zero Trust
But the model worked to a degree, and defence-in-depth was born. Based on the continuous growth in the number of vulnerabilities and increased sophistication of both hackers and TTP (tactics, techniques and procedures) that we see today in our complex digital ecosystem, clearly something needs to change. Enter Zero Trust.
‘Trustworthy’ users can inadvertently let the bad actors in
Evidence of successful data breaches and cyberattacks has shown us that bad actors can operate from within the network, on the so-called “trusted” side. This design is something that attackers can leverage to their advantage and can often go undetected until it is too late. Often, the so-called “trusted” users are unaware that an attacker may have used their user identity. The actors may be silently in the background relying on users’ privileges to infiltrate and move across the network to access sensitive data and critical systems undetected.
Zero Trust is an approach that flips this on its head. It changes the model to one that applies the “least-privilege” principal by default, categorising all users as automatically untrusted from the outset. Therefore, to access any resource, the user must be identified and authenticated before gaining access and privileges for that application, system or resource.
Government entities increase pressure to adopt Zero Trust principles
Zero Trust is not going away. In fact, government entities are increasing the pressure. For example, the executive order on improving US cybersecurity, issued by the White House in May 2021, made the federal government’s position clear on the need to advance Zero Trust. Just a few months ago, it also announced the federal strategy to move the US government itself towards a Zero Trust architecture.
As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said CISA director Jen Easterly. “Zero trust is a key element of this effort to modernise and strengthen our defences. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.” — Office of management and budget releases federal strategy to move the US government towards a Zero Trust architecture, the White House briefing room, 26 January 2022.
Read our point of view on the Biden executive order
The same goes across Europe where EU organisations are equally being encouraged to adopt Zero Trust principles with the latest revision of the European NIS directive, NIS2.
Concern about maintaining business operations stunts Zero Trust framework adoption
We can’t deny that a methodology designed to establish different levels of trust as additional access and movement is required and is entirely logical. However, implementing a complete Zero Trust model successfully, as it is defined, is largely impractical in the real world and an unrealistic objective for many organisations.
That’s not to say Zero Trust is unrealistic to achieve because it’s flawed or doesn’t work; applying the theory to practice in the real world is just difficult. In the real world, enterprises face many challenges: fragmented infrastructures, legacy systems, bespoke applications, visibility, cloud environments, existing transformation, migrations and more.
Businesses are reluctant to make changes that impact important organisational operations. This impact must be considered when changing how an infrastructure behaves and how users (employees, customers, partners) interact with these services.
When considering operational impact, redefining and redesigning access and privileges is extremely complex. Thus, Zero Trust has often been considered “hype” instead of “reality” due to the difficulty level of implementation.
Zero Trust will become the new best-practice benchmark
Enterprises should look to identify areas of their networks and critical assets where Zero Trust is achievable. They can then apply Zero Trust principles to make solid improvements to increase their security posture efficacy overall. Those that make inroads – even incrementally – will be much more successful in preventing a security breach over the next few years.
Over the next few years, many enterprises will set Zero Trust security objectives in their strategy, with established metrics to evaluate and measure success. The organisations that fail to take this initiative will continue to leave parts of their critical infrastructure open and susceptible to sophisticated attacks, not to mention the steady increase in cost of managing and operating a suboptimal defence strategy over time.
Zero Trust will become the new best practice benchmark, particularly for organisations undertaking cloud transitions and migrations to cloud services. In this case, defining trust models and data access within cloud environments becomes more practical and achievable.
Advance your Zero Trust network strategy with the Skybox Security Posture Management platform
Skybox Security can help you establish and maintain a Zero Trust framework by providing visibility and a continuous understanding of your hybrid networks and the attack surface across all environments. You need to model and analyse your network, cloud and security configurations together. This context helps you make informed decisions about what critical assets to protect with Zero Trust, how to properly design the network environments and what specific policies need to be applied. Once the Zero Trust architecture is established, continuous and adaptive modelling of the hybrid networks is necessary to effectively maintain the Zero Trust posture.
Skybox can help you advance these five key areas of developing and executing a Zero Trust strategy:
1.) Determine where to focus your zero trust efforts. With Skybox, you can aggregate and consolidate data sets that reflect the current configurations of your hybrid infrastructure, all your security controls, and endpoints. You can then identify the critical assets, applications, data repositories and infrastructure that will comprise your Zero Trust zone.
2.) Model your hybrid network. By understanding your network connectivity, combined with your network and security configurations, you will know what you are starting with. Then you can visualise and assess your security efficacy and develop your Zero Trust strategy.
3.) Architect for Zero Trust. Develop and optimise segmentation strategies, as well as configure and optimise your network and security technologies.
4.) Establish and validate Zero Trust policies. With Skybox, you can automatically assess policies for exposure risk and compliance. Validate policies using a network model.
5.) Monitor and maintain. Leverage a network model to continually monitor your hybrid networks. Validate changes before they go live to ensure compliance. Automate change management processes and align with your Zero Trust architecture.
Visit www.skyboxsecurity.com for more information or check out all the recent Skybox Security content on hub.techcentral.co.za/skybox.
- This promoted content was paid for by the party concerned