We know that attackers are constantly looking for weaknesses to exploit — and with cloud and hosted services, these weak points can lie outside your network perimeter.
Couple this complexity with the vast attack vectors presented by the internet and hyper-connectivity, and the security challenge expands further.
Increasingly, organisations are taking a zero-trust approach, focusing on where the gaps are and how people might exploit them. In a zero-trust environment you assume that all application access is potentially malicious or undesirable. Instead of trying to police all the borders and paths across your network, you create islands of applications and data that you can protect in a much more focused way.
Zero-trust uses far more attributes to control access than standard strategies. It goes beyond simple criteria such as source IP address or username to answer questions such as: who is accessing your data? Where are they coming from? What applications do they want to use and when do they want to access them? How do they want to connect to the applications?
A zero-trust mindset means you can segment and control applications in a way that provides only the functionality that’s needed, efficiently and securely.
From free movement to zero trust
In recent years many organisations have looked to remove complexity from their infrastructure by flattening their networks and removing policy enforcement controls in favour of simplification and agility. The increasingly porous nature of the borders that most organisations now have and the proliferation of IT within every business process create a situation that’s difficult to secure.
A large, flat network, containing very few barriers is an easy cyber target. Malware or an attacker can move around an organisation rapidly and with very little chance of detection or prevention, as we saw in the WannaCry and NotPetya ransomware incidents of 2017.
The zero-trust approach is a way of balancing a robust security stance with the simplification of your architecture. By increasing the control and inspection that surrounds your applications and data you can boost the number of attributes your controls consider when deciding access. This includes tighter regulation of what each user can do and a more robust approach to an individual’s access rights and privileges, especially those of third parties and suppliers.
The starting point for improving your access validation in support of a zero-trust mindset is putting good first principle hygiene controls in place. These will allow you to build up a picture of the roles and situations that need access to your applications so you can implement least privileged access rights. From here, you should focus on creating a highly accurate Active Directory. This will support you in applying an effective Identity and Access Management strategy and intelligence support into the control and inspections points that protect and segment your applications.
Start small for low-risk learning
We advise starting small when it comes to adopting a zero-trust approach, making the move to zero-trust a multi-phase, multi-year project. Too often, large, established organisations begin with a substantial and complex application, then struggle to achieve the necessary level of visibility around how it’s used. By starting with a smaller, less complex application or a well known and understood service, you can learn in a way that doesn’t impact the business but still provides repeatable and reusable controls and experience.
Migrating email to Microsoft Office 365 is an example of a strong starting point. A major UK public sector client successfully began implementing a zero-trust model in this way — taking a discreet application (email) and migrating it to a segmented island in the cloud. We worked with partners to provide the necessary communication, monitoring and visibility to deal with employees’ personal access devices and the infrastructure they used that sat outside the infrastructure controlled by the organisation.
CIO and CISO collaboration is essential to zero-trust success
As the reach of IT extends, and visibility and control become more limited, CIOs and CISOs need to unite to defend their organisations. IT security has shot up the list of priorities for most business leaders, making security threats a significant consideration in many board-level risk models.
The zero-trust approach to enterprise architecture requires ongoing effort from both departments. By working together to create a more effective, strategic and focused approach, they can minimise data breaches and improve the organisation’s ability to contain and defend against cyber threats.
Find out more about your strategic options for protecting your critical assets.