In the wake of the global Covid-19 pandemic, we find ourselves in a radically changed workforce paradigm. This shift ostensibly happened overnight in many cases, and the repercussions of such were bound to be swift. We needed to be home and work on shared documents and have access to appropriate private information, but one must wonder how much time was really spent finding a sage balance between accessibility and security. How many of these interim solutions are now the modus operandi? While saving our companies from the certain doom caused by remote access limitations, we may have positioned ourselves for the almost equally conceivable doom of falling victim to the constant barrage of cyberattacks.
It’s not hard to see this coming to fruition with the headlines smattered across newspapers and TV: JBS, Microsoft, Colonial Pipeline, Acer, Kia, and many more. According to Harvard Business Review, the amount hackers demanded and companies consequently paid, also grew by 300% over the past year. If there were ever a time to go back to the basics and redefine our security assumptions and consequently our defenses, that time is unmistakably now. A very noteworthy phenomenon in the field of security is that the typical organization relies on a vast and ever-increasing number of discreet security products to keep them safe. We forget that sometimes the absolute best security “tool” is a change in attitude. Rather than keeping everything in the castle or on-premise, being able to adjust security strategies to include Cloud access is vital for the new workplace.
Opening the Door
In the early phases of the COVID-19 pandemic, many businesses found themselves in a mad scramble to determine how to solve the seemingly insurmountable obstacles in making remote employee access possible without completely breaking all the customary security foundations. I can guess that in many of these meetings a valid question was posed on whether this was even a possibility at all.
Over the years there have always been reasons for employees to remotely access the core business system, and each of these remote access projects have brought their own security challenges. Meeting these challenges has largely been focused on a “fortify the castle” approach, and to a certain extent, this has kept us on par with our cyber attackers.
The solutions have ranged from all kinds of VPN products through Next-Gen Firewalls to the most recent use of SD-WAN (SASE) deployments on the network. On the desktop side, we’ve seen an omnium gatherum of SSL VPN solutions, End-Point Protection products, whitelisting tools up to the most advanced high-security VDI deployments. For many organizations, adding layer upon layer of these defenses over an extended period of time has caused the implemented cyber defenses to rely on a considerable number of legacy, on-premise, and cumbersome point solutions. Fortifying the castle one wall, one moat and one drawbridge at a time, doesn’t allow for much architectural progress.
For a large percentage of organizations most – if not all – of these tools were deployed from the perspective that most employees were situated inside the fortress’ high wall. But there has been a significant shift in the large segment of the workforce as an estimated 70% of workers are now doing their jobs from home either all or most of the time. Organizations that previously had tight control of the user’s endpoint found themselves struggling to push security updates from their central location onto the bandwidth-constrained home networks. Ironically, the tighter the pre-covid security stance had aligned to central control, the larger the problem they now faced.
The Zero Trust Mind Set
Bad guys out, good guys in. This long-standing principle has shaped how enterprises approach information security for decades. From the time of punch cards and landlines, this philosophy is anchored in the premise that IT environments can be protected from malicious activity simply by making the perimeter bigger, stronger, and more resilient. It’s a model that conjures comparisons to castles and moats, but it carries a twinge of irony, considering the foundation of the narrative that internal traffic is automatically trusted is now known to be a fairytale. The rise in Cloud infrastructure shows a direct representation of this with the most secure platform being housed not on-premise but digitally.
Zero-trust security proposes a very different model – one grounded in the assumption that all users, devices, and transactions are already compromised, regardless of whether they’re inside or outside the castle’s wall (aka firewall). That perspective drives a new strategy for network security architecture, which has been adopted by Google as its intrinsic security model.
Zero trust’s underpinning lies in a security architecture that withholds access until a user, device or even an individual packet has been thoroughly inspected and authenticated. Even then, only the least amount of necessary access is granted. A one-liner commonly assigned to zero-trust security is “never trust, always verify,” definitely a sharp reversal from the old “trust but verify” approach to security.
I’m not implying that the walls, moats, and drawbridges are no longer necessary in the defense of your castle, but rather I’m encouraging the consideration of enhancing your approach by also checking every person in the castle – under the assumption that they might have scaled a wall or swam the moat – and then limiting them to a smaller portion of the castle.
Zero-trust security embraces the use of more precise and stringent network segmentation, creating what is sometimes called micro-perimeters throughout the network to prevent lateral movement. The goal is that when – not if – a breach occurs, an intruder can’t easily access sensitive data by hopping VLANs, for example.
Policies and governance also play an important role in a zero-trust architecture, since users should have the least amount of access required to fulfill their duties. Granular control over who, what, where, and when resources are accessed is vital to a zero-trust network.
The New Frontier
A legacy, perimeter-based approach to security no longer protects organizations from the increasingly common and destructive identity- and credential-based attacks. The sudden shift to remote work has increased the possible attack vectors dramatically. These conditions couldn’t have changed the security paradigm so swiftly by themselves, but years of attack evolution in the APT realm has presented plenty of reasons and incentives – contributing to the urgency of the paradigm change.
No matter how flashy the firewall, it won’t prevent an attacker who’s obtained stolen login information from wreaking havoc without highly granular segmentation and access policies. Contrary to the assumptions in traditional security models, user identity inspires one of the lowest degrees of confidence, because it’s reasonable to assume that the person logging in with Jane from accounting’s username and password may not be Jane from accounting.
Transitioning to the zero-trust security model is also a matter of keeping pace with other evolutions in IT. Users no longer fetch data and applications solely from a desktop computer at a fixed location via conventional enterprise data centers. From remote workforce to mobility to cloud to microservices, traditional perimeters are crumbling—a new approach is vital.
Written by Karl Adriaenssens, Chief Technology Officer (CTO) at GCSIT.
Overview: This article will highlight how, throughout the Covid-19 pandemic, employees found themselves witness to a radically changed workforce paradigm. This shift caused companies to find a balance between accessibility and security. This also brought to light how many of their “good enough” solutions are now causing security nightmares. While companies tried to deal with certain issues caused by remote access limitations, they may have positioned themselves for the almost equally conceivable doom of cyberattacks. Today, companies must go back to the basics and redefine their defense systems. A legacy, perimeter-based approach to security simply no longer protects organizations from the increasingly common and destructive identity- and credential- based attacks.