In the last 10 years, there hasn’t been a single IT or security professional that we’ve spoken with that hasn’t expressed that they are absolutely slammed day in and day out. Of course, we’re in that same boat. So, we humbly apologize for the delay in getting the remainder of our National Cyber Security Awareness Month posts out. But, we think it is worth having further visibility on these topics and continuing the discussion.
When looking at how to SECURE IT!, we need to have a discussion about trust. In personal and professional relationships, we all set limits on who and how we trust. We lock our doors and only ride in the car with certain people (and avoid riding with others). We don’t do business with sketchy people. Trust decisions are made all day every day. So, why shouldn’t we do the same in our networks, with people, systems, and services that we may or may not know and trust? Obviously, the answer is that we should, but historically, we don’t.
In the somewhat recent past, there was a concept of securing networks that involved setting zones of trust within your network. In most networks, this meant you had a trusted, untrusted, and semi-trusted zone. We applied limitations on these zones based on that level of trust. Organizations that did a great job of securing these zones limited access to specific sources and destinations on limited ports and protocols. This worked but, only because we had a very limited method of accessing resources. Not only has the edge and the location of resources changed, but how TCP protocols are used has changed. In the past, HTTPS protocols weren’t being used to encapsulate 11 different services, protocols, and apps. Name an organization that doesn’t allow HTTPS outbound to internet destinations… I’ll wait. Ultimately, doing this made the protections that were put in place with trust-based zones useless.
Then, in walks the shiny “new” concept of zero-trust. You can infer the meaning of it, but we’ll explain a bit. Essentially, you trust nothing, no one, and nowhere. You’re managing trust on a per user, per application, per source/destination basis. Every connection has a specific purpose, and you limit it accordingly. This includes your formerly defined “trusted” LAN zone having limited, controlled access to other portions of your LAN. Security VLAN to server VLAN has no implicit trust. Receiving user VLAN to finance user VLAN has no implicit trust. Server VLAN to Azure VLANs has no implicit trust. This concept is excellent for security, obviously. But not every organization has the ability, manpower, or budget to fully implement this.
So, how can you take the steps to get there when you have these limitations?
There are many areas that you could implement this in your environment. There is zero-trust within Windows domains, within specific applications, and within the network. The concept is the same, its deployment and implementation is different. I’ll specifically discuss the steps that can be taken in your network and at your edge to find yourself in a zero-trust environment. As I’ve mentioned in the past blogs for NCSAM, the first step in really any initiative for cyber security must be understanding what you have. Take inventory and determine exactly what you have and where you have it. Once you’ve got a good idea of what you have, you can make intelligent, informed decisions on what to trust.
The next step would be to segment your network into logical/similar areas. Segment subnets for user departments, specific server functions, external facing vs internal facing, wireless vs wired. Put these segments on a whiteboard and determine the level of access that should be allowed to each individual service, application or resource. You may not trust that typical users should have access to the finance user subnet. The entire idea of segmenting the network so that you protect the critical assets, minimize exposure and reduce time to respond/time to remediate.
Lastly, use identity management tools to deliver access to resources based on specific roles and responsibilities and required access. You can use LDAP integration to tie your firewall policies to your active directory groups or use a CASB (cloud access security broker) to monitor and automate access for cloud and SaaS applications. By using an accurate, single system of identity to manage these capabilities, you can simplify the management while greatly improving your security. However, the success of these efforts is highly dependent on the idea of garbage in, garbage out. If you have stale objects in AD, do not have accurate user groups, or have no classifications for your data, your ability to limit access to resources based on identity will be severely limited and these efforts can give the opposite result.
Overall, using a zero-trust model can increase the effectiveness of your investment into security solutions, provide an exceptional user experience, and minimize the exposure of your critical resources. If you take the steps to OWN IT, then you can SECURE IT. But, you don’t need huge budget to do this. You can take small, logical steps to work toward a goal and use proven methods, such as zero-trust to do it.