Story image

Four steps to Zero Trust network security - AlgoSec

13 May 2019

Article by AlgoSec CMO Jeffrey Starr

While enterprise security incidents have almost halved since 2016, the cost per incident has risen by nearly 60%, according to the 2018 Global State of Information Security Survey. 

With attacks and breaches getting more damaging and costly than ever before, it’s no surprise that CISOs are exploring new security strategies to enhance their security postures and better protect their assets.  

The concept of Zero Trust – of not trusting anything either inside or outside the enterprise network and verifying everything that connects to it – is the leading security approach currently being researched and evaluated by enterprises.

The idea was pioneered by Forrester Research created it in 2010.

But its core principles reflect the reality of today’s complex, heterogeneous enterprise network environments.

These comprise a mix of multiple public clouds, SDN deployments and traditional on-premise networks, which makes it difficult to maintain a traditional reinforced network perimeter.

The Zero Trust model recognises this and recommends creating micro-perimeters of control around each of an organisation’s key business assets to increase network security.

This approach of ‘close protection’, supported by automation and analytics to improve threat detection and response, helps to ensure that organisations don’t fall victim to basic attacks, or fail to discover a breach for months or even years. 

But how should CISOs go about applying best-practice guidance on Zero Trust on their own enterprise networks? 

Here are the challenges they will face in implementing four key components of a Zero Trust framework – network visibility, automation, segmentation and compliance – and how these can be addressed.

End-to-end visibility

The foundation of Zero Trust is visibility.

As Forrester’s guidance states, you can’t protect what you can’t see.

Visibility helps CISOs to develop their organisation’s strategy, enabling them to see where their most sensitive business assets are, who is using them, the connectivity flows that applications need to function, what is protecting them, and where potential security risks lie. 

But getting that network-wide visibility is a huge challenge in today’s hybrid environments, which consist of on-premise data centers, SDN deployments and public clouds, and a range of security controls.

While a given vendor may offer a tool that gives visibility into its specific part of the network estate, it will not give oversight of the entire infrastructure. 

And using multiple tools to try and achieve visibility just adds unnecessary complexity and duplication.

Automating changes

The next challenge is implementing and maintaining the Zero Trust approach on the network.

This demands constant changes to configurations and security policies, because the needs of the business are constantly shifting.

The volume of changes required is virtually impossible for IT and security teams to handle manually: a single application change request can often take more than 8 hours to complete.

Manual processes are also prone to simple human errors, which can have catastrophic consequences.

An AlgoSec study found that 20% of organisations had a security breach, 48% an application outage, and 42% a network outage caused by mistakes during a manual security change process.

So automation of change processes is essential for Zero Trust network security.

Segmenting for security

Zero Trust guidance recommends designing security from the inside out, to place security and access controls as close as possible to the assets you want to protect.

But when devising the microsegmentation scheme for your network, deciding where to place the borders between segments isn’t easy. 

You need to know exactly how the positioning of each microperimeter will affect critical business applications.

Also, setting up the segmentation scheme is not a one-time-only activity; it will be an ongoing process that will change as the business applications change, with many more security controls to manage in order to enforce the segmentation. 

To meet these challenges, the network-wide visibility and automation described above is a prerequisite.

Compliance matters

One of the key rewards of a Zero Trust network security approach is that it makes meeting compliance requirements far easier. 

An effective segmentation scheme can reduce the extent of compliance initiatives because some regulations (such as PCI-DSS) only have certain data types in scope.

And when properly implemented across networks, Zero Trust exceeds the security prescribed by compliance directives.

But as touched on above, you will have many more firewalls and gateways to manage. 

This makes audit preparation and documentation across those extra controls more time-consuming and costly if done manually – diverting resources away from more strategic initiatives. 

Meeting the Zero Trust challenge

To meet the challenges of these four key Zero Trust framework components, what’s needed is an automated management solution with four key capabilities:

  1. Visualising all of the firewalls and security controls across the entire network estate, and the rules, policies and connectivity maps supporting each business application, in a single pane of glass.
  2. Managing all security controls holistically using common syntax and logic, and automating security policy changes consistently across those controls. 
  3. Managing complex, large-scale segmentation schemes, enabling security teams to plan changes and perform ‘what if’ dry runs to eliminate the risks of causing inadvertent outages. If no issues are identified, the changes can be rolled out across all the relevant security controls and devices with zero-touch – saving significant time, effort, and preventing damaging misconfigurations.
  4. Automatically tracking and documenting all processes and changes, proactively assessing risk and providing pre-formatted audit reports, to minimise audit preparation time and helping to ensure continuous compliance is maintained.

With the right solution, CISOs can architect their Zero Trust network security model based on their organisation’s unique needs and ensure their critical applications and data assets are continuously protected.

This makes it easier to deploy and secure new operational initiatives and models, supporting business agility without introducing risk, and giving a trusted foundation for Zero Trust network security.

Bitglass appoints new cloud, business development leaders
The cloud security company has appointed vice presidents for worldwide channels and worldwide business development.
Ping Identity offerings accelerates cloud MFA and SSO adoption
90% of respondents trust MFA as an effective security control to protect identity data in public clouds, yet only 60% of organisations have formally adopted it.
Trend Micro introduces cloud and container workload security offering
Container security capabilities added to Trend Micro Deep Security have elevated protection across the DevOps lifecycle and runtime stack.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.
Veeam enables secondary storage solutions with technology partner program
Veeam has worked with its strategic technology alliance partners to provide flexible deployment options for customers that have continually led to tighter levels of integration.
Veeam Availability Orchestrator update aims to democratise DR
The ability to automatically test, document and reliably recover entire sites, as well as individual workloads from backups in a completely orchestrated way lowers the total cost of ownership (TCO) of DR.
EXCLUSIVE: Forcepoint global channel chief talks strategy
As a solution sold 100% via the channel, cybersecurity solutions company Forcepoint places a strong emphasis on its partner relationships.
Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."