The castle walls, moat and drawbridge have been overrun. It is obvious to all of us – the use of perimeter defense as the key cyber strategy is dead.
InfoSec Insider contributor Pravin Kothari
Over time, the internet has added so many new entry points into the enterprise that they are unmanageable. You have too many administrative interfaces to maintain at ever-increasing cost and complexity. Off the grid Shadow IT products and services also bring new cloud applications to the enterprise unknown to the security operations defenders. Borders that had been well defined have become porous and open.
There is so much traffic moving in and out of the network that it is almost impossible to discern the contents by intention, especially since both enterprise and attacker tools use encryption. The sum total of your personnel, tools and tactics do not provide better security but instead offers an almost certain target to any persistent attacker.
At the core of this is the issue of trust. If you are in the enterprise physical hard-wired network, security protocols are designed to implicitly reward you. You are inside the network and, therefore, we know who you are and we can trust you. Now inside of the network and trusted, you can navigate nearly anywhere. Once there, you need permissions to access certain application resources, but, in the meantime, you have almost a complete run of the network.
This implicitly delegated trust gives you visibility to network traffic and resources, and, if you are a cyber attacker, with a few tools you are almost immediately positioned to intercept messaging, observe processes and capture authentication. Attackers look around and sooner or later, if not caught, they manage to intercept administrator credentials. Game over. TCP/IP was designed to be an open protocol and has virtually no capabilities for trust or identity management integrated at any level.
The cloud has amplified this problem to new heights. Attackers have a virtual library of new attack vectors through which to gain access. The cloud not only stores valuable enterprise data but provides a conduit back to closely guarded, on-premise assets. A large percentage of data exposure and potential data breach has been caused by misconfiguration. We’ve seen many examples of this, impacting Amazon AWS, Google Cloud services and Azure customers alike.
Even when using basic encryption for data at rest, we have seen that the recently announced data exposure in the Salesforce Marketing Cloud was caused by access through the applications program interface (API). Once the attacker is in the network, they can compromise the API and then gain access to the encrypted data.
One strategy that can add strength and resiliency to your defense-in-depth strategy is to move to a posture of Zero Trust. The Zero Trust model was first conceived by Forrester Research in 2009, when it noted that it was inherently flawed to consider everyone inside the network as trusted, and everyone outside of the network as untrusted. The basic assumption of Zero Trust is that every user, both inside and outside the network, is to be considered untrusted and hostile. Zero Trust turns this legacy perimeter defense model upside down and, evolving with industry participation, now presents a strong and viable alternative.
Zero Trust also brings changes to both policy and architecture by assuming that threats exist all the time, both inside the network and externally, and enterprise and government must operate accordingly. Every user and device on the network must be authenticated and authorized. Policies should limit the user to access to the minimal subset of network resources they need to do their job – no more. No more wide-open view of the internal network and data sources. No more easy access to data resources – everything should be hardened, encrypted end-to-end, and locked up tight.
Zero Trust is straightforward to implement. You need to define and adopt key Zero Trust policies that align with your current defense-in-depth deployment. You then need to make decisions about operations, procedures and best practices and then select and deploy the new technologies required.
A change to Zero Trust can be made by enterprise and government at a pace that matches their need for stronger security. Each enterprise can implement the additional technologies, policies, and encryption at their own pace. Zero Trust is relatively easy to implement, as there is minimal impact to the existing base of devices and TCP/IP infrastructure already in place. Zero Trust builds upon the existing TCP/IP infrastructure.
There are paid solutions that bring Zero Trust encryption for cloud deployment. These can provide enhanced visibility, threat and data protection, and strong controls for implementation of compliance. By overlaying clouds with the resiliency, they can add the increased capabilities required to identify the new wave of cyber threats that could overrun your network and shut down access to critical resources.
Two-factor authentication is another powerful and mandatory tool that should be part of any Zero Trust environment. All applications should be authenticated by the use of two-factor authentication technologies. Deception technology is another Zero Trust technology, as are newer technologies such as moving target defense.
Perimeter defense is long dead as a primary strategy but good alternatives exist. Building out a Zero Trust strategy results in an environment which is much more robust and capable of stopping many of the attackers that seek to compromise your on-premises networks and clouds. When cyber attackers do successfully penetrate your networks, Zero Trust will help reduce the time to breach detection, substantially limit or eliminate attackers’ ability to cause damage or steal data. It also helps to promptly mitigate the attack so you can resume normal operations.
(Pravin Kothari is CEO of CipherCloud. Pravin is a pioneered in the field of SIEM, IT-GRC and Cloud Encryption markets. He founded CipherCloud in 2010 out of a need to help companies take control over their sensitive data that was rapidly moving to the cloud.)