Security pros should trust noone

Powered by SC Magazine
 

The zero-trust network framework, in which security is embedded into the network offers protection from threats and helps isolate and contain damage if an incident arises, but implementation isn't easy.

Could it be that one of the most common credos taught to security professionals is actually leading them astray?

Every practitioner has heard it before: Trust that employees are doing the right thing, but verify that data is protected. Proponents of a new security model, however, argue that while the phrase “trust, but verify” sounds good in theory, the reality is that most security practitioners have been doing the opposite – trusting users by default, but never verifying that data is protected.

“Whoever said, ‘This needs to become a mantra,' missed the mark,” says John Kindervag, a senior analyst at Forrester Research. “It incentivices people to not know what's going on. There is no reason to have any trust in the network.” Kindervag is the driving force behind a new model called “zero-trust” that is gaining support with the security community.

The strategy is based on the idea that security must be made ubiquitous throughout the network, not just at the perimeter. No longer should there be any distinction between a trusted internal network and the untrusted external network. The zero-trust model dictates that all network traffic should be untrusted.

The idea was born to solve a fundamental security problem: Once an attacker penetrates a network, they have unfettered access to the resources inside, Kindervag says. Plus, malicious insiders don't even need to break into the network to abuse its resources.

Consider this: 49 percent of breaches investigated in 2009 by Verizon were linked to insiders. This figure dropped to 17 percent for incidents investigated last year, but according to Verizon, the decrease was attributed to a monumental increase in smaller external attacks, rather than a true reduction in insider activity.

For both years, investigators found that the vast majority of internal breaches were the result of intentional malicious activity.

Key concepts

The zero-trust model aims to mitigate internal and external threats through changes in both security philosophy and network architecture. The model has three core concepts, the first of which is to ensure all network assets are accessed securely, which necessitates using encrypted tunnels.

Next, limit and steadfastly enforce access control across the enterprise, which discourages insiders from abusing or misusing network resources. To do so, Forrester recommends using role-based access control (RBAC) products, which assign individuals to a role that determines what they can access.

The third concept is to log and inspect internal and external network traffic. Most organisations already keep logs, but few actually go so far as to inspect them. For this piece, Forrester suggests using traditional security information management systems in conjunction with so-called network analysis and visibility (NAV) solutions, which include tools to analyse flow data, dissect packet captures, inspect network metadata and facilitate network forensic examination. Such tools can provide security practitioners with a better understanding of what is happening on a network and make it easier to monitor applications.

Going beyond the three essential concepts of zero-trust, the model suggests new network architecture designs that focus on data security from inception. Historically, networks have been built from the outside in – starting with the internet connection and moving inward. Security was bolted on, in layers, after initial design.

Today's networks, Kindervag argues, should be built from the inside out, starting with the system resources and data that need to be protected. “Security is so important that we need to invert the way we design networks so we can embed security into the very DNA of the network,” Kindervag says. “That's what zero-trust is all about.”

The model essentially describes how to break up aspects of a network into different enclaves and protect them, says Eddie Schwartz, CSO at network monitoring and analysis firm NetWitness. “Imagine islands of protection versus all-purpose layers that might fail in some way,” he says. Kindervag warns, though, that zero-trust is not about one particular solution, nor is it a one-time project.

In fact, the first and most important step of adopting the model is free: Security practitioners must stop using the word “trust” as it relates to networking and security. Rather, adopt a mindset that the concept of trust is inappropriate with respect to data security, and spread the message to teams throughout the organization.

Gaining support

First introduced before a small audience at an IT forum last May, zero-trust resonated with people, Kindervag says. The model then gained increasing support once introduced to the masses in the September 2010 paper, “No More Chewy Centres”. One such supporter is FCC Group, a Spanish construction and infrastructure company. With 93,000 employees, a footprint in 54 countries and innumerable contractors with access to the company's networks, insider and third-party threats are a major concern, says Gianluca D'Antonio, the company's CISO.

“When I first heard about the zero-trust model, I realised that we had intuitively started adopting a similar approach,” says D'Antonio, who also is a member of Forrester's security and risk leadership board. “Zero-trust helped us plug the holes and complete the architecture around a true data-and-user-centric operation.”

The zero-trust network framework, in which security is embedded into the network – as opposed to added on after design – offers protection from threats and helps isolate and contain damage if an incident arises, D'Antonio says. Moreover, it offers the bonus of easier compliance with security regulations and standards.

Further, zero-trust can help organisations reduce their threat profile by providing a sense of where their most critical data is stored and how it is transacted, says Phil Agcaoili, CISO at Cox Communications, a broadband communications and entertainment company. Today, most organisations are dealing with network proliferation.

The zero-trust model provides tighter control over data and pinpoints where practitioners must pay attention, Agcaoili says. By using virtualisation technologies, for example, it is possible to create an environment where users can work with data, but never truly have access to it on their endpoint. The model expands on ideas that have been around for some time, but until now haven't been developed as part of a working system that scales and is adaptable to real-world situations, FCC Group's D'Antonio says.

The framework actually echoes ideas presented by a series of computer standards developed during the 1980s and 90s by the US Department of Defense. Named the “Rainbow Series,” the standards are designed to build trusted computer systems, says Ken Ammon, chief strategy officer at access control solutions provider Xceedium. The premise behind the now-defunct program was that trust should be built into systems, instead of granted to users.“Zero-trust is, like many things, a new spin on an old story,” Ammon says.

Adoption proceeds

Many forward-thinking organisations within the financial services, energy, high-tech and retail industries have, over the past several years, been instinctively adopting zero-trust properties, such as the pervasive capture and analysis of network traffic, says NetWitness' Schwartz.

Many are also beginning to rearchitect their enterprise networks to focus on protecting data. Agcaoili says members of his security team at Cox have been familiarising themselves with zero-trust and exploring the costs and benefits of implementing its ideas.

He knows of several other well-known organizations that have already adopted the model. “They created zoned environments for the most critical data and provided remote access capability through virtualized desktops,” he says. The FCC Group has already implemented some zero-trust aspects throughout the organisation, focusing on efforts to gain greater control over insiders and contractors, as well as to ensure all resources are accessed securely, D'Antonio says.

The company's security team has already deployed infrastructure monitoring solutions and a data leakage prevention program and is now concentrating on using NAV tools to increase network visibility. Transitioning the entire network to align with zero-trust designs is a long-term goal. “What makes this model outstanding is the ability to adapt to it and incorporate some bit of the model while the rest of your infrastructure still remains untouched,” D'Antonio says. “This way you can start the transition process at areas of high risk and still run your legacy systems and networks in the old fashion way.”

Drawbacks

While it has received a swath of support, even many proponents of zero-trust agree that the model requires holistic changes that will not come easy. For starters, changing the way people think about security is never an easy task, D'Antonio says. Members of IT departments are used to internal structures that are shaped toward their needs, not geared toward security. “Changing that culture and finding enough clout within the organization is difficult,” he adds.

And while organisations can embrace portions of zero-trust right away, adopting the full model and replacing legacy infrastructures will take some time. For example, FCC Group has made large investments in its network architectural model and changing it will require funds from more than one department's budget, D'Antonio says.

To begin adopting zero-trust, security practitioners should become familiar with all the model's philosophies and architectural ideas, and then look for subnetworks or lab environments where they can start testing them, Kindervag says. Also, regular meetings with networking counterparts should occur to discuss plans and how they can be applied to the overall network architecture.

NetWitness' Schwartz recommends first applying zero-trust methodologies to the most critical aspects of the network, then have a plan to transition, over the next several years, the rest of the network using a risk-based approach.

Key concepts

  • Ensure all resources are accessed securely.
  • Limit and enforce access control across the enterprise.
  • Log  and inspect internal and external network traffic.
  • Redesign networks from the inside out.
  • Adopt a mindset that trust is inappropriate with respect to network security.
  • Spread the message across the organisation.
  • Set up meetings with counterparts in networking to discuss how zero-trust can benefit the organisation.
  • Look for subnetworks where the model can be tested.
  • Begin implementing zero-trust ideas, starting with the most critical parts of the network.
  • Ask vendors if and how they support zero-trust principles.
  • Create a plan to transition the entire network over the next two to three years.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Security pros should trust noone
Johnny Magnusson, public domain
 
 
 
Top Stories
Hockey flags billion-dollar Centrelink mainframe replacement
Claims 30 year-old tech is holding Govt back.
 
Ombudsman wants to monitor warrantless metadata access
Requests ability to report publicly.
 
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  20%
 
Bankwest
  9%
 
CommBank
  12%
 
National Australia Bank
  17%
 
Suncorp
  23%
 
Westpac
  19%
TOTAL VOTES: 1520

Vote