Four steps to Zero Trust network security - AlgoSec
While enterprise security incidents have almost halved since 2016, the cost per incident has risen by nearly 60%, according to the 2018 Global State of Information Security Survey.
With attacks and breaches getting more damaging and costly than ever before, it's no surprise that CISOs are exploring new security strategies to enhance their security postures and better protect their assets.
The concept of Zero Trust – of not trusting anything either inside or outside the enterprise network and verifying everything that connects to it – is the leading security approach currently being researched and evaluated by enterprises.
The idea was pioneered by Forrester Research created it in 2010.
But its core principles reflect the reality of today's complex, heterogeneous enterprise network environments.
These comprise a mix of multiple public clouds, SDN deployments and traditional on-premise networks, which makes it difficult to maintain a traditional reinforced network perimeter.
The Zero Trust model recognises this and recommends creating micro-perimeters of control around each of an organisation's key business assets to increase network security.
This approach of ‘close protection', supported by automation and analytics to improve threat detection and response, helps to ensure that organisations don't fall victim to basic attacks, or fail to discover a breach for months or even years.
But how should CISOs go about applying best-practice guidance on Zero Trust on their own enterprise networks?
Here are the challenges they will face in implementing four key components of a Zero Trust framework – network visibility, automation, segmentation and compliance – and how these can be addressed.
The foundation of Zero Trust is visibility.
As Forrester's guidance states, you can't protect what you can't see.
Visibility helps CISOs to develop their organisation's strategy, enabling them to see where their most sensitive business assets are, who is using them, the connectivity flows that applications need to function, what is protecting them, and where potential security risks lie.
But getting that network-wide visibility is a huge challenge in today's hybrid environments, which consist of on-premise data centers, SDN deployments and public clouds, and a range of security controls.
While a given vendor may offer a tool that gives visibility into its specific part of the network estate, it will not give oversight of the entire infrastructure.
And using multiple tools to try and achieve visibility just adds unnecessary complexity and duplication.
The next challenge is implementing and maintaining the Zero Trust approach on the network.
This demands constant changes to configurations and security policies, because the needs of the business are constantly shifting.
The volume of changes required is virtually impossible for IT and security teams to handle manually: a single application change request can often take more than 8 hours to complete.
Manual processes are also prone to simple human errors, which can have catastrophic consequences.
An AlgoSec study found that 20% of organisations had a security breach, 48% an application outage, and 42% a network outage caused by mistakes during a manual security change process.
So automation of change processes is essential for Zero Trust network security.
Segmenting for security
Zero Trust guidance recommends designing security from the inside out, to place security and access controls as close as possible to the assets you want to protect.
But when devising the microsegmentation scheme for your network, deciding where to place the borders between segments isn't easy.
You need to know exactly how the positioning of each microperimeter will affect critical business applications.
Also, setting up the segmentation scheme is not a one-time-only activity; it will be an ongoing process that will change as the business applications change, with many more security controls to manage in order to enforce the segmentation.
To meet these challenges, the network-wide visibility and automation described above is a prerequisite.
One of the key rewards of a Zero Trust network security approach is that it makes meeting compliance requirements far easier.
An effective segmentation scheme can reduce the extent of compliance initiatives because some regulations (such as PCI-DSS) only have certain data types in scope.
And when properly implemented across networks, Zero Trust exceeds the security prescribed by compliance directives.
But as touched on above, you will have many more firewalls and gateways to manage.
This makes audit preparation and documentation across those extra controls more time-consuming and costly if done manually – diverting resources away from more strategic initiatives.
Meeting the Zero Trust challenge
To meet the challenges of these four key Zero Trust framework components, what's needed is an automated management solution with four key capabilities:
- Visualising all of the firewalls and security controls across the entire network estate, and the rules, policies and connectivity maps supporting each business application, in a single pane of glass.
- Managing all security controls holistically using common syntax and logic, and automating security policy changes consistently across those controls.
- Managing complex, large-scale segmentation schemes, enabling security teams to plan changes and perform ‘what if' dry runs to eliminate the risks of causing inadvertent outages. If no issues are identified, the changes can be rolled out across all the relevant security controls and devices with zero-touch – saving significant time, effort, and preventing damaging misconfigurations.
- Automatically tracking and documenting all processes and changes, proactively assessing risk and providing pre-formatted audit reports, to minimise audit preparation time and helping to ensure continuous compliance is maintained.
With the right solution, CISOs can architect their Zero Trust network security model based on their organisation's unique needs and ensure their critical applications and data assets are continuously protected.
This makes it easier to deploy and secure new operational initiatives and models, supporting business agility without introducing risk, and giving a trusted foundation for Zero Trust network security.