sb-as logo
Story image

Four steps to Zero Trust network security - AlgoSec

13 May 2019

Article by AlgoSec CMO Jeffrey Starr

While enterprise security incidents have almost halved since 2016, the cost per incident has risen by nearly 60%, according to the 2018 Global State of Information Security Survey. 

With attacks and breaches getting more damaging and costly than ever before, it’s no surprise that CISOs are exploring new security strategies to enhance their security postures and better protect their assets.  

The concept of Zero Trust – of not trusting anything either inside or outside the enterprise network and verifying everything that connects to it – is the leading security approach currently being researched and evaluated by enterprises.

The idea was pioneered by Forrester Research created it in 2010.

But its core principles reflect the reality of today’s complex, heterogeneous enterprise network environments.

These comprise a mix of multiple public clouds, SDN deployments and traditional on-premise networks, which makes it difficult to maintain a traditional reinforced network perimeter.

The Zero Trust model recognises this and recommends creating micro-perimeters of control around each of an organisation’s key business assets to increase network security.

This approach of ‘close protection’, supported by automation and analytics to improve threat detection and response, helps to ensure that organisations don’t fall victim to basic attacks, or fail to discover a breach for months or even years. 

But how should CISOs go about applying best-practice guidance on Zero Trust on their own enterprise networks? 

Here are the challenges they will face in implementing four key components of a Zero Trust framework – network visibility, automation, segmentation and compliance – and how these can be addressed.

End-to-end visibility

The foundation of Zero Trust is visibility.

As Forrester’s guidance states, you can’t protect what you can’t see.

Visibility helps CISOs to develop their organisation’s strategy, enabling them to see where their most sensitive business assets are, who is using them, the connectivity flows that applications need to function, what is protecting them, and where potential security risks lie. 

But getting that network-wide visibility is a huge challenge in today’s hybrid environments, which consist of on-premise data centers, SDN deployments and public clouds, and a range of security controls.

While a given vendor may offer a tool that gives visibility into its specific part of the network estate, it will not give oversight of the entire infrastructure. 

And using multiple tools to try and achieve visibility just adds unnecessary complexity and duplication.

Automating changes

The next challenge is implementing and maintaining the Zero Trust approach on the network.

This demands constant changes to configurations and security policies, because the needs of the business are constantly shifting.

The volume of changes required is virtually impossible for IT and security teams to handle manually: a single application change request can often take more than 8 hours to complete.

Manual processes are also prone to simple human errors, which can have catastrophic consequences.

An AlgoSec study found that 20% of organisations had a security breach, 48% an application outage, and 42% a network outage caused by mistakes during a manual security change process.

So automation of change processes is essential for Zero Trust network security.

Segmenting for security

Zero Trust guidance recommends designing security from the inside out, to place security and access controls as close as possible to the assets you want to protect.

But when devising the microsegmentation scheme for your network, deciding where to place the borders between segments isn’t easy. 

You need to know exactly how the positioning of each microperimeter will affect critical business applications.

Also, setting up the segmentation scheme is not a one-time-only activity; it will be an ongoing process that will change as the business applications change, with many more security controls to manage in order to enforce the segmentation. 

To meet these challenges, the network-wide visibility and automation described above is a prerequisite.

Compliance matters

One of the key rewards of a Zero Trust network security approach is that it makes meeting compliance requirements far easier. 

An effective segmentation scheme can reduce the extent of compliance initiatives because some regulations (such as PCI-DSS) only have certain data types in scope.

And when properly implemented across networks, Zero Trust exceeds the security prescribed by compliance directives.

But as touched on above, you will have many more firewalls and gateways to manage. 

This makes audit preparation and documentation across those extra controls more time-consuming and costly if done manually – diverting resources away from more strategic initiatives. 

Meeting the Zero Trust challenge

To meet the challenges of these four key Zero Trust framework components, what’s needed is an automated management solution with four key capabilities:

  1. Visualising all of the firewalls and security controls across the entire network estate, and the rules, policies and connectivity maps supporting each business application, in a single pane of glass.
     
  2. Managing all security controls holistically using common syntax and logic, and automating security policy changes consistently across those controls. 
     
  3. Managing complex, large-scale segmentation schemes, enabling security teams to plan changes and perform ‘what if’ dry runs to eliminate the risks of causing inadvertent outages. If no issues are identified, the changes can be rolled out across all the relevant security controls and devices with zero-touch – saving significant time, effort, and preventing damaging misconfigurations.
     
  4. Automatically tracking and documenting all processes and changes, proactively assessing risk and providing pre-formatted audit reports, to minimise audit preparation time and helping to ensure continuous compliance is maintained.

With the right solution, CISOs can architect their Zero Trust network security model based on their organisation’s unique needs and ensure their critical applications and data assets are continuously protected.

This makes it easier to deploy and secure new operational initiatives and models, supporting business agility without introducing risk, and giving a trusted foundation for Zero Trust network security.

Story image
Adobe, IBM and Red Hat partner up to accelerate DX and real-time data security
"As companies undergo their digital transformations and move core workloads to the cloud, the entire C-suite is facing a re-framing of their roles to meet customer demands – all while keeping security front and centre."More
Story image
Video: 10 Minute IT JamsAttivo Networks on threat detection using deception
Attivo Networks is a US-based technology vendor in the cybersecurity space. The company focuses on threat detection and deception.More
Story image
Security teams face mounting stress, call for execs to step in
“With more organisations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern. This is a call to action for executives to prioritise alleviating the stress."More
Download image
Why there's a huge push for NFV in today's enterprises
To help networking and IT professionals better understand the opportunities and challenges associated with deploying NFV technology, new research based on responses from more than 1,300 IT and networking professionals from around the world is now available. More
Story image
Fortinet scoops commercial marketplace award at Microsoft partner awards
The win underscores its "commitment to enable easy and secure deployment of SaaS, VM or container security solutions" to protect Azure workloads and applications.More
Story image
Attivo Networks integrates with FireEye for advanced threat protection
The combined solution is designed to reduce time and resources required to detect and block attacks, while also collecting forensics to help organisations avoid future attacks. More