The massive shift to remote work and a continually expanding attack surface has made the concept of perimeter-based security naïve at best and dangerous at worst.
The major trends and factors of the past year include the erosion of barriers between corporate and home offices and the expansion of targets. In today’s work-from-home world, organizations need to find ways to give users secure access to the network and applications so they can do their jobs without compromising security. But strengthening security also can’t result in slowing down users and processes to a crawl.
Cybercriminals have been quick to respond to the fact that the network perimeter expanded so rapidly and dramatically in response to the pandemic, so CISOs can no longer ignore the benefits of the zero-trust model for network security. The zero-trust model moves security away from implied trust that is based on network location. Instead, it focuses on evaluating trust on a per-transaction basis.
Trust-based Security Doesn’t Work Anymore
Over the past year in parallel with the transition to remote work, FortiGuard Labs has seen an uptick in attempts to exploit consumer networking and connected devices. Attackers are taking advantage of security gaps inherent in many of these devices now that they’re effectively part of the corporate perimeter.
Employees working from home could be gaining access to corporate resources from a compromised environment. Because of this expanded attack vector and the fragmented perimeter, and motivated cybercriminals, we’ve seen a rise in cybercrime, including a staggering seven-fold increase in ransomware.
With zero trust, network location or IP address no longer conveys an implication of trust. Zero trust came about because the old network security model of “inside means trusted” and “outside means untrusted” no longer works. The ongoing expansion and erosion of the perimeter underscores the need for a zero trust approach, which extends security monitoring and enforcement to every device, whether it’s trusted or not. An unexpected silver lining to the mass experiment in remote work is that it could signal the end of trust-based security.
Understanding Zero Trust Access
Zero-trust access (ZTA) operates on the assumption that threats both outside and inside the network are an ever-present reality and that potentially every user and device has already been compromised. It also treats every attempt to access the network or an application as a threat. And as a result of these assumptions, network administrators need to redesign their security strategies and solutions to support rigorous, trustless security measures. Zero-trust provides:
• Ongoing verification of users and devices.
• Segmentation of the network to create small zones of control, which helps limit the impact of a breach and establishes more control points.
• Least access privilege for users and devices, so only the access they need to perform their role is granted, which helps to limit the impact of a compromised identity or device.
Creating a Zero-Trust Environment
Setting up ZTA includes establishing pervasive application access controls, strong authentication capabilities, and powerful network access control technologies. Using the zero-trust model for application access or zero-trust network access (ZTNA), makes it possible for organizations to shift away from only relying on traditional virtual private network (VPN) tunnels to secure assets being accessed remotely. A VPN often provides unrestricted access to the network, which can allow compromised users or malware to move laterally across the network seeking resources to exploit.
With ZTNA, access is only granted to network resources on a policy-based, per-session basis to individuals and applications after devices and users have been authenticated and verified. The system applies this policy equally whether users are on or off the network. So you have the same zero trust protections no matter from where a user is connecting.
Secure authentication plays a pivotal role in the implementation of an effective ZTA security policy. Many breaches come from compromised user accounts and passwords. They are then exacerbated by users with inappropriate or excessive levels of access. Adopting the ZTA practice of applying “least access” privileges as part of access management means that if a user account is compromised, cyber adversaries only have access to a restricted subset of corporate assets.
A zero trust approach also empowers organizations to identify and secure unknown IoT endpoints and devices that enter the network. Integrated endpoint visibility, granular control, advanced protection, and policy- and context-based endpoint assessment work together to ensure organizations are protected against compromised devices.
Visibility needs to include every device on the network through the lenses of device identification, profiling, and vulnerability scanning. And tying this analysis with dynamic micro-segmentation enables further control over devices on the network.
Zero Trust for Maximum Security
As a CISO, you need to plan your zero-trust strategy so it includes access controls for the network and applications and authentication capabilities that don’t hamper productivity. By establishing a robust zero-trust access strategy, you can better protect customer data, defend and control access to critical assets, and reduce security complexity.
Peter Newton is the Senior Director at Fortinet