Data breaches have been a continual presence in the news headlines and we know how unnerving it is for security teams to see that organizations of all shapes, sizes and technical proficiencies flogged in the media for their security failings.
We’re now in a cyber climate where breaches are an all too common occurrence and it’s not a matter of if another cyber attack will happen, but when?
It begs the question, are we approaching cyber security in the right way?
The security philosophies of yesteryear are failing to defend against modern cyber threats, the tired ‘castle and moat’ mentality doesn’t hold up in today’s increasingly disparate, cloud-first environment. IDC reports that 73% of organizations have at least one application in the cloud and the idea of multi-cloud is coming to fruition with 42% of organizations now using multiple cloud vendors.
As well as increased utilization of cloud technologies, changing consumer technologies have necessitated a change in strategy for CISOs. Like with so much technology, the business world often follows in the footsteps of its consumer counterpart. The dominance of Android and iOS devices in the consumer market has led to their gradual adoption in the workplace leading to a more sophisticated mobile business culture. However, at their heart, they are consumer-centric devices that have been adapted for a business context, and that, in itself, brings complexity.
Employees expect to be able to work on the go, on whatever device they want and with an experience akin to the consumer world. It’s no longer acceptable to have to navigate badly designed web services in unresponsive browsers with desperately slow connections, hence the reason why organizations are developing their IT strategies to offer greater mobility without sacrificing productivity.
However, increased mobility brings its complications. The traditional security stack fails to comprehensively protect companies from mobile threats. Unified Endpoint Management (UEM) is a technology that originates from device management and configuration, and that’s where its strengths lie, despite claims, it’s not actually a security technology. UEM provides little to no protection against various network and endpoint based threats and lacks the insight into usage based risks.
The prevalence of BYOD strategies adds further complexity as companies need to tread a fine line between protection and Orwellianism. Where does the corporate perimeter really end if personal devices are storing corporate data and accessing company resources? It’s a notion based on a bygone site-centric era that falls flat given modern working practices.
This is why the Zero Trust Security model has started to gain traction.
What is Zero Trust Security?
Zero trust security replaces the tenet of ‘trust but verify’ with ‘never trust, always verify.’ Everyone and everything starts at the same standing when requesting access to corporate resources – “this could be a threat, don’t trust it” – essentially corporate hypochondria.
Traditionally, whatever is within the network or onsite is implicitly trusted – why not? It’s on corporate grounds, everything is vetted, there shouldn’t be any unauthorized personnel or devices – the perfect world scenario. But that’s not the real world. This methodology fails to account for insider threats as well as hackers and cyber attacks that are able to breach the corporate perimeter. Then there’s the issue with how remote access has been traditionally managed.
VPNs have historically been the preferred option for remote access, but despite making use of encryption, it’s a technology that wasn’t developed purposefully for security and consequently has lead to a frustrating user experience, particularly on mobile. Employees take their work wherever they go now and expect to be able to login freely from whatever device is handy, if a VPN connection proves too slow or frequently disconnects, then cloud centric infrastructures allow users to bypass the VPN and connect directly to the required resource. So although good in theory, if the VPN fails to provide the service expected, it’s effectively redundant.
Just because someone has been authorized access to corporate resources via a VPN, it doesn’t necessarily mean that they are who they say they are. The corporate network has become increasingly porous to accommodate outsourcing and flexible working, but better governance needs to be in place to provide more sophisticated access control rather than the free reign currently granted under VPNs.
With the corporate perimeter dissipating, cloud infrastructures becoming the norm and BYOD programs increasingly adopted, companies need to better understand what endpoints are accessing corporate resources, we can’t implicitly rely on certain criteria as trust indicators. A Zero Trust mentality is required to improve corporate resilience, despite how misanthropic it may sound…
What are the principles of Zero Trust Security?
Zero Trust security isn’t one single technology, it’s a more holistic approach to how security teams can manage corporate assets, for which access control technologies are paramount.
Identity is an important concept in the Zero Trust model. If we can’t accurately identify the user, then everything else is irrelevant. Implicit assumptions can’t be made; just because someone (or something) is accessing corporate resources from a particular location, device or even with verified credentials, it doesn’t mean they should be explicitly trusted. This is where Multi-Factor Authentication (MFA) is key.
The standard username and password protocol is flimsy; a password database alone doesn’t stand a chance against modern CPUs that can spit out 500,000 passwords a second to fuel brute force attacks. Two-factor authentication (2FA) was devised to provide added security, For an effective Zero Trust model, all users, regardless of status, should be verified with robust authentication mechanisms as even some forms of 2FA can be bypassed.
Role Based Access Control (RBAC)
Once someone’s identity is verified, Zero Trust is about mitigating an organization’s attack surface. Rather than giving users carte blanche access to the network (trust, but verify), it should be restricted to whatever resources and levels of permission is necessary for them to do their jobs. For example, does everyone in the Marketing and Operations teams need administrative or edit permissions for Salesforce? Probably not. Taking this a step further, the network also needs to be divvied up into small tightly controlled segments to limit unnecessary lateral movements.
Network segmentation is by no means a new concept for IT professionals who’ve been using VLANs, firewalls, and Network Access Controls to do just this for quite some time. But the way in which networks are segmented is different under the Zero Trust model. Instead of address based and grouping assets by location, network access is governed on an identity basis, using tightly defined user profiles. For example, the HR team should only have access to HR resources – the theory is simple.
All traffic, regardless of source, is considered hostile under the Zero Trust model and micro-segmentation is designed to prevent lateral movement once on the network. With more traditional security models, once someone or something has gained access to the network, movement is largely unrestricted. However, in the Zero Trust model, communication between zones is blocked, and access is granted on a ‘least privilege’ basis.
But herein lies the problem. There are some hard and fast rules that can be applied in this more identity-centric model e.g. Marketing does not need access to the backend of an HR system, for obvious reasons. However, there are some applications and resources where the lines become blurred and it is not 100% apparent what access should be given. Then there is the matter of resources. In our hyper consumerized, virtualized environment where employees can easily access a multitude of SaaS cloud applications, profiles need to be continually managed and updated to ensure that employees aren’t inhibited from doing their roles.
Next Steps for Mobile Security
Zero Trust is an ideal and very few companies are able to demonstrate a conceptually pure Zero Trust model, the most noteworthy being Google BeyondCorp. With legacy systems still at play, it’s nearly impossible for companies to simply flick a switch and have a Zero Trust strategy activated, it requires rigorous planning and adjustment of where we think threats lie. Nonetheless, if companies are going to prevent themselves from being the next security breach headline, security strategies need to be re-evaluated and perceptions of risk need to evolve. Enterprise mobility has caused the corporate perimeter to become porous and maintaining the outdated mentality of an inside and outside will inevitably lead to security problems.