There’s a way CSOs can boost network security without costing a nickel — trust no one.
That’s the advice of John Kindervag, principal security analyst at Forrester Research, who for several years has been advocating organizations set up a Zero Trust network architecture as the first step in a strong defence against external and internal attacks.
Simply, the idea is to limit access to sensitive data to only those that need it.
The concept is getting more support with every successful publicized data breach.
It could have stopped the latest breach, in which tens of millions of personal accounts were stolen from U.S. private health care provider Anthem Inc., Kindervag said in an interview.
Zero Trust “is data centric, so its designed to stop data breaches. Because it’s at the center of the data center where you can see things it has the greatest hope of architecturally being able to stop it across all egress points.”
“So many controls are just designed to protect the Internet connection, but there are so many places data can be exfilltrated from the network: It could be done through your Wi-Fi, your Voice over IP system, your WAN, business partners, the cloud — there are so many place that aren’t inspected, aren’t controlled. In fact for some organizations the network is one big blind spot.”
Too many organizations build defence at the perimeter and assume anyone inside the network can be trusted, he said. Zero Trust means not trusting any packets.
Kindervag said there are five steps to creating a Zero Trust Network:
–1. Identify and classify the organization’s data. “If we focus on exclusively network devices and their protection and forget about the data there will always be breaches.” Then segment the network;
–2. Understand how data flows across the network for each application. Optimize the flows;
–3. Architect the Zero Trust network based on those flows. Define and optimize a transaction path that that allows the proper use of data, and flags or denies transactions where someone is abusing or misusing data;
Microperimeters can be built around the most sensitive data, with a segmentation gateway/next-generation firewall to enforce them;
–4. Create automated rules around the network to enforce access control as well as the inspection policies for the gateway/firewalls. One possibility is leveraging software defined network virtualization technologies to send the right traffic to the right inspection point so it can be on the lookout for someone trying to steal data.
There must be application-layer visibility at it traverses the gateway, Forrester says, to spot malicious traffic.
It also recommends using a firewall auditing solution to continuously audit and optimize the segmentation gateway rule base.
–5. Monitor the network to see where more insight is needed. Log and inspect all traffic, internal and external. A security analytics system should connect to segmentation gateways to stop malicious traffic.
“People will often complain that I’m saying people aren’t trustworthy,” says Kindervag, “and I’m saying something much more profound in this digital age, and that’s people aren’t packets. You don’t need trust to move a packet from Point A to Point B. You just need routing protocols, you need the underlying infrastructure. These are the things we are trying to impress upon people. Digital technologies changed the game in terms of how you classify data, its also how you secure this stuff because data that may claim to have come from an individual may well have been forged at the packet level.”
There is a role for encryption, he adds, but encryption alone won’t make data secure.
The concept is designed to work with off the shelf technology, Kindervag said. Because it’s data-centric, the network doesn’t have to be ripped apart.
He knows of one enterprise that, after a month to design the new architecture and buy some equipment, was and up and running within 90 days.
There will be a culture fight (‘This isn’t the way we’ve done things,’), he admits. But Kindervag said, the evidence is clear — from the number of breaches — the old ways aren’t working.
One advantage of Zero Trust networks is C-level executives grasp the idea fairly quickly, he said.
“One of the real values is it’s bringing the business and IT world together by having a common set of objectives,” he added. It also helps IT provide more business value to the organization because they understand the objectives.