Tweet This: Tweet
Share on LinkedIn:
By Kevin Prater, Kovarus, Practice Manager Collaboration / Network / Security
So, in part one of our zero-trust methodology series, we talked about the concept of never trust, always verify. The default behavior being that at every interaction, I distrust. Even if I trusted you 5 minutes ago, I will still now take you through a verification process to authenticate and validate authorization. We talked about how it can be a business enabler, allowing you to make your security posture more portable providing security protections no matter where your applications or assets reside.
We left off at why an enterprise would even care. What business benefits does a zero-trust methodology provide. And that’s where we’ll begin Part 2; challenges and benefits.
Looking at the industry as a whole, there are a few business challenges that enterprises continually see that we find are pretty common, including:
- Increased / distributed access
- Increase in the attack surface
- Gaps in visibility
In our current pandemic environment, we’re forced with supporting more and more users, accessing more and more resources, across more and many times unplanned / unmonitored connections, from who knows what device. To say it’s a challenge to ensure and manage the identities and authorization of these end users and systems is an extreme understatement.
Of course, the very nature of our environment, forcing a distributed workforce, exponentially increases the potential attack surface that threat actors have to work with. Protecting our user base, their devices, applications, servers and data is of paramount importance.
The last and certainly not least big challenge that most organizations find themselves facing is that of visibility; in particular the lack of visibility. We need to be able to have real-time data and analytics at our disposal to allow us to identify vulnerabilities and threats and pivot as needed.
Promises of Zero-Trust
Essentially, we’re faced with having a lot of targets with a lot of vulnerable areas of attack and not nearly enough visibility to really know what’s going on or do anything about it if we did. Great. How can zero trust help? For starters, by addressing these and more:
- Greater Visibility = Reduced Risk
One of the biggest vulnerabilities organizations face is not having a solid understanding of their current assets. You need to know what data you have, where it lives and how it’s being used. Does it reside on-premises or in the cloud, is it being accessed by one user or by many users, where do those users reside, is the data being accessed by other applications? Even if you’re able to answer these questions, the changing nature of the environment means that you’ll never have a 100% accurate picture. With a zero-trust model all communications within the network are identified and then by default not trusted unless they’ve been explicitly allowed through verification. An added benefit of leveraging this method is the potential mitigation of things like zero-day threats and new attacks due to unforeseen vulnerabilities.
- Greater Control in the Cloud
As organizations move more of their applications and workloads to the cloud, obviously there’s some concern around the potential loss of visibility and lack of control over those applications. The very nature of a zero-trust model of always blocking, always untrusting everything allows you to extend tight security controls no matter where your workloads reside.
- Speed and Agility
With zero-trust security your security protections are implemented close to the workload, meaning that any isolations, blocks and communications are isolated to that application or workload alone and not two entire segments of a network.
- Compliance and Audits
Just because your network is compliant to some security standard doesn’t mean that it is secure. A zero-trust methodology enables a heightened security posture by default, helping alleviate some of the compliance and auditing burdens our security teams are faced with. Auditors are left with clear visibility into how your specific applications are communicating with each other and accessing data within your network, leaving no ambiguity as to what’s going on inside your network.
Where to Start
Again, we really need a solid understanding of what you’ve got going on in your environment. What systems, applications and data are in play? We need a full inventory of what you have within your organization that needs to be protected. Once identified, we then need to understand how those pieces work together. How do those applications interact with each other, and what do traffic flows and traffic patterns look like?
These are the types of information security consultants will need to start discovering and gathering as you work together to build a zero-trust architecture. Key steps in the process include:
- Identifying Assets — You’ve got to know what you’re dealing with in your environment, so we’re talking applications, workloads, servers, datastores, anything that you would classify as an asset needing protection.
- Know Your Flows — Start by talking to your stakeholders and lines-of-business leaders. Understand not only what applications they’re using but how they’re using them. Then we can start to put together a map of users to applications to data stores, etc., establishing a good workflow picture.
- CYA — Cover Your Assets — Understanding your environment, we can now start determining what needs to be protected and what those protections should look like. We can start designing policies to enforce these measures.
- Adapt and Overcome — Mike Tyson said it best, “Everybody has a plan until they get punched in the mouth.” Security threats are continually evolving and so must your security environment. Keep a vigilant eye on your environment through continuous monitoring of your infrastructure and application flows, including north-south traffic and east-west traffic. And whenever possible, remove the human factor — automate. The most effective zero-trust networking architecture is one in which the policys and processes are automated and can easily be adapted and changed as new threats mandate.
Let’s continue the conversation! Connect with me via email or Webex Teams! You can find me at firstname.lastname@example.org.
Looking to learn more about modernizing and automating IT? We created the Kovarus Proven Solutions Center (KPSC) to let you see what’s possible and learn how we can help you succeed. To learn more about the KPSC go to the KPSC page.
Also, follow Kovarus on LinkedIn for technology updates from our experts along with updates on Kovarus news and events.