How Zero Trust Organizations Secure Their Networks and the Cloud

 Cyber & Risk, IAM
In the fourth article in our five-part series on the Zero Trust Organization, “How to Secure App and Enterprise Data Using Zero Trust,” we discussed the importance of securing applications and data – the lifeblood of today’s digital enterprises – and how, in a Zero Trust environment, we must not presume that protecting applications will automatically protect the data upon which these applications rely. A Zero Trust environment is built on a never-trust/always-verify approach to all entities and transactions in the enterprise which is why protection must be applied at four levels: user, application, data, and network. In this concluding article in our series, we describe the critical job of securing the network, and why today the cloud must be regarded as an integral part of that network, with access to the cloud protected accordingly.

A Zero Trust Organization operates under the assumption that its network perimeter defenses have been compromised, and that both internal and external attacks on the network are active and ongoing.

Network breaches have resulted in some high-profile security events.

For example, in September 2018 Facebook revealed that hackers had gained access to its network through a software vulnerability and potentially accessed the accounts and personally identifiable information (PII) of 50 million users, including, reportedly, the accounts of Facebook founder and CEO Mark Zuckerberg and COO Sheryl Sandberg.

Similarly, in 2014 Yahoo was spear-phished by foreign attackers. The FBI began its investigation then, but the hackers were able to continue accessing Yahoo emails containing account holder PII and metadata for two years, until 2016, by exploiting a compromised Yahoo server. Yahoo has said that ultimately all three billion of its accounts were affected.

Network security has never been more important.

Traditional network security architecture segments the network into zones, each surrounded by a firewall. Computers in a zone are granted the same level of trust, allowing them to connect easily to other computers in the same zone. This is the principle of network locality. In a compromised network, protections offered by this architecture are insufficient. Once a host is compromised, a malicious actor has the freedom to move laterally within that zone and jump from the compromised host to other hosts in the same zone. A Zero Trust Organization must assume that network locality no longer offers adequate protection.

How Zero Trust Organizations Protect Their Networks

The following are three critical steps Zero Trust Organizations can take to strengthen their networks:

  1. Introducing micro-segmentation and the Zero Trust Control Plane. Instead of simply fragmenting its network into a few large zones, a Zero Trust Organization introduces network micro-segmentation – creating many smaller zones managed by a centralized component called the Zero Trust Control Plane. The Control Plane handles access to protected network resources through identity-aware access control policies. Additionally, policies can factor in environmental attributes such as time of day and type of device in order to force stronger authentication when required.
  2. Improving threat detection through machine learning. Zero Trust Organizations implement continuous monitoring on their networks and make use of machine learning to detect anomalies. For example, if a system administrator is suddenly downloading data he or she never downloaded before, and emailing at 2 a.m. local time, the administrator’s identity may be authenticated, and he or she may have the approved access, but the activity itself is inherently suspicious. Automated tools can learn to spot and flag such anomalies and immediately force action.
  3. Implementing dynamic identity-based access policies. Regular network security policies use criteria like IP, port, and protocol to make access control decisions. In a Zero Trust environment, such location-based parameters alone are insufficient, because an otherwise legitimate server may have been compromised. An identity-based policy is stronger because it validates application signatures in addition to IP and protocol parameters. Policies also must be dynamic and adjust to changing traffic conditions or other factors in the network environment.

How a Zero Trust Organization Secures the Cloud

Enterprise use of the cloud is growing. According to IDG, 90% of companies will have part of their applications or infrastructure in the cloud by 2019, and the remaining 10% by 2021. In a Zero Trust Organization, cloud security is given the same level of importance as network security.

In the cloud, the only thing between you and the bad guys is a login screen. Consequently, access control has heightened importance.

Despite strong protections offered by the major cloud providers, users of cloud services can make costly mistakes when they fail to fully secure their cloud presence. That risk is compounded by the ease with which business units can purchase cloud services without proper approval processes. This makes it difficult for enterprises to know what data is being stored in the cloud and who has access to it.

A Zero Trust Organization knows what it has in the cloud: its applications, the data that resides in them, the relative sensitivity of that data, and the users who are accessing it.

To improve cloud security, the Zero Trust Organization creates a map of what it has in the cloud and implements strong access control. That includes multi-factor authentication to access sensitive cloud applications. For example, cloud-hosted email, such as Office 365, should require multi-factor authentication before a user can log in. Conversely, an application that does not have a lot of critical information may not need that degree of friction-producing authentication.

Adaptive access control and risk-based adaptive authentication increases authorization requirements depending on geography and/or time of day. In other words, a request for access made from the home office may be okay while a request received from a rogue state may not be.

This level of control requires monitoring cloud actors. In late 2016, hackers stole Uber’s AWS account credentials, logged into Uber’s account, and downloaded the PII of millions of its customers. Consequently, a Zero Trust Organization observes login attempts to see who is accessing what in the cloud, and when, and looks for anomalies, just as one would in an on-premise network.

Access control has heightened importance in cloud security. Cloud security policies must be dynamic and reliably enforced. This in turn requires visibility into the data and applications that are in the cloud. These complement the security measures applied by the cloud provider and lead to a more secure cloud environment.