How times have changed.
Not long ago, security teams had things easy.
Their primary task was straight-forward: Securing the perimeter of the corporate environment.
Of course, in the days before BYOD and remote working, the corporate environment primarily consisted of an internal network of on-premises systems.
Once the internal network’s perimeter was secured, it was job done. Security teams could simply sit back and monitor everything going in or out. This was known as the ‘castle and moat’ approach to security.
However, all that began to change with the advent of BYOD and remote working, a trend that’s grown exponentially since COVID-19.
Security teams can no longer rest on the assumption that everything inside the security perimeter can be trusted.
With organisations now enabling employees to access systems and data in a variety of ways, irrespective of location, the corporate network has been expanded in ways unforeseen just a few years ago.
Valuable data is continuously being transferred between a range of systems including SaaS applications, IaaS applications, on-premises and cloud-based data centres, as well as a plethora of devices that are supplied by the company or by individual employees.
All this opens up a range of opportunities for cyber-criminals to breach your systems and compromise your data.
With more entry points than ever before, attackers have a multitude of opportunities to gain entry to your systems. They may collect huge amounts of highly valuable data before your security team can identify and stop them.
Zero-Trust is a new security paradigm that aims to boost your security in this new environment.
How does Zero-Trust work?
Traditionally, a remote user, such as employee, would gain access to the internal network via a VPN. When connecting to the VPN, the user would need to authenticate themselves, either with a username and password, or preferably via multi-factor authentication.
Once the user had been authenticated by the VPN, they would be granted access to the internal network’s systems. However, there would be no subsequent authentications on a user seeking to move laterally between various systems within the network.
In effect, if an attacker managed to get authenticated at the VPN stage, they could have free reign to access all the corporate systems. This could pave the way for an attacker to cause untold damage.
Furthermore, this traditional model only regulated access to the internal network but did not regulate accessibility to cloud-based applications, which many organisations now regularly use to store valuable data.
However, adopting a Zero-Trust model offers significant security enhancements.
When a user wishes to access any system, be it on the internal network or the cloud, they will firstly go through a proxy (step 1), which then sends them to the single sign-on gateway to be authenticated (step 2).
If the user is wishing to access a cloud-based application, they will be sent directly to the cloud, without passing through the internal network (step 3).
If the user wishes to access a system on the internal network, they will be sent back to the proxy (step 2 reversed), with the proxy then tunneling them to the specific system (step 4).
The benefit of this flow is that the user doesn’t require separate authentication credentials for each individual cloud application and network system. Their privileges can remain consistent across a range of systems. This makes remote working much more straight-forward for employees.
Importantly, from a security perspective, there are two main benefits of this Zero-Trust model:
- Privileges on all systems, be they in the cloud or on the network, can be centrally determined and managed by your security team;
- None of the systems on the internal network will allow access to anyone who has not been sent directly from the proxy. In other words, lateral movement between systems will be restricted. In the event an attacker gains access to one system on the internal network, they will not be able to move to other systems to cause even more damage.
Applying a Zero-Trust Model
At its heart, the Zero-Trust model mandates that no user, device or application, should have trust by default, even within the perimeter.
This is a paradigm shift for security thinking.
Unlike a traditional validation model, in which a user was validated once upon entering the perimeter, Zero-Trust recognises that this is no longer adequate. Apart from the fact that a user’s credentials may have been compromised, it also didn’t allow for differentiating the specific privileges a user or a device could have on specific systems within the network. Furthermore, it didn’t allow for easy alignment with cloud-based systems.
Rather than treating things inside the network as ‘safe’ and giving them additional privileges, with Zero-Trust there are three core pillars:
- Identifying users more rigorously using Multi-Factor Authentication, rather than simply relying on a username and a password.
- Identifying the devices being used to access systems and checking whether they are trusted (i.e. approved corporate or personal devices).
- Conducting these checks at the individual application level, rather than at the network perimeter.
Importantly, if a user or device has access to one application on the network, and then wishes to move laterally to another application on the network, they would need to be re-validated. By restricting lateral movement between systems in this way, you can be confident that any breach will be contained and the damage will be limited.
The Zero-Trust model also allows you to grant specific privileges to specific users and specific devices before conducting specific actions. For example, a particular user or device may be granted ‘read-only’ privileges on one system, but higher level ‘write’ privileges on another system.
The model also gives organisations greater visibility and control over their cloud-based applications.
What are the 5 Essential Elements of Zero-Trust?
These are the 5 Essential Elements that require considering when establishing a Zero-Trust model:
The Zero-Trust principle shifts away from reducing attack surfaces to strategising ways to protect your surfaces. Segmentation is critical. Once you identify your most valuable assets, applying microsegments around them helps create a series of barriers to block unauthorised lateral movements. This ensures that a user cannot move laterally between various segments, limiting the damage in the event the perimeter is breached.
Applications, whether on your network or in the cloud, should have access rights and privileges that can be controlled by your security team. These should be managed according to the specific needs of individual users and/or devices. Don’t assume that once a user is on the network, they should have lateral access to all applications. Applications, particularly those in the cloud, are attractive targets to attackers. You need to ensure you have full visibility and control over who is accessing them and what they can do once they have access.
Zero-Trust is all about protecting your valuable data. As data is increasingly shared between users, devices and applications across your network and on the cloud, it can be more vulnerable to breaches. Zero-Trust helps you ensure that data is segmented and access, particularly to highly-valuable data, is restricted by both user and device.
Usernames and passwords don’t offer sufficient protection anymore, as evidenced by the volume of breaches that occur with these credentials. It is essential that stronger methods, such as Multi-Factor Authentication, be implemented to strengthen identity verification. The single-sign on gateway and MFA are integral to the Zero-Trust model.
Don’t just validate users. You should also be validating devices. Every device connected to your network can be compromised. This is particularly the case as BYOD has become common practice. In the event a device is compromised, Zero-Trust ensures it cannot be used to gain access to your network and move laterally between applications. This gives your security team more time to identify and block unauthorised breaches.
How Shearwater Can Help
Speak to Shearwater for expert advice on how you can implement a Zero-Trust security model for your organisation.
At times of heightened concern surrounding cyber-intrusions and data breaches, you need to ensure you have the right systems and policies in place to safeguard your most valuable assets.
Our team of experts understand the risks and the methodologies you need to keep one step ahead of the attackers.
Call us today for a no-obligation consultation.