Prepare for the Worst, Hope for the Best: Zero Trust Everything
With Zero Trust Network Access (ZTNA) being planned by 44% of IT professionals, SEC.OS, our community of CISOs, recently discussed ZTNA advantages and best practices with Paul Keely, Chief Cloud Officer at Open Systems. Paul’s a long-time Microsoft MVP, and author of the book “Microsoft Cloud Security for the C-Level”.
Paul brought the idea to the table that as the remote work environment evolves, there are people who work on “A network”, i.e. Remote Access as well as those who work on “THE network”, aka the traditional enterprise or corporate network. While we all might be moving towards Office 2.0, or completely remote work, many of the most damaging attacks today still happen on “THE network.”
People Are Smarter, But AI is Faster
Attackers can gain access and laterally infiltrate “THE network” in no time. Take, for example, the Maersk ransomware attack, where the “network was crippled within seven minutes, [and] most of the damage was done within an hour”. To be protected against such attacks, you need to identify that something sinister before it spreads. After identifying the threat, you must immediately report and block the network segment to keep it contained.
These attacks are exponential in nature and require an exponential counter-response. For faster identification and response time, Paul pointed out that the only future-proof approach now involves artificial intelligence (AI) – especially when applied as Network Anomaly Detection – as AI promises to provide an exponential rise in response and speed. This is now a focus for Microsoft, as well as partner service providers like Open Systems. The strategy with AI is not to simply report indicators of compromise (IoCs) or threat intelligence (TI) issues but to actively respond and use process automation to autonomously contain attacks – fast.
Miracles are Great, But They're So Unpredictable
Attacks are not a matter of only outsiders getting in. IT departments and users alike do their work based on the concept of implicit trust, within both “A” and “THE” network. Staff members are often granted too much access to resources and data that they don’t need while you rely on their judgment relative to what websites to visit or what email links to click. The pandemic made most users full-time remote workers, stretching networks and putting the company's security posture to the test. Today, many networks are even more vulnerable because the distributed workforce operates on unmanaged devices from anywhere.
As Peter Drucker put it: "Miracles are great, but they're so unpredictable." Your company's security can't depend on luck to spot threats – you need to have controls in place everywhere all the time to prevent external attackers and internal users from compromising your entire company network in a heartbeat.
Zero Trust Everything with a ZTNA Service
As applications ascend to the cloud and users move away from corporate offices, IT departments are finding access control management to be more and more complex. Traditional access control systems are kludgy, tricky, and error-prone – not designed to secure today's any-to-any workflows, and IAM doesn’t necessarily touch the network. Secure Access Service Edge (SASE) is really gathering momentum, with an overall approach to connect and secure remote users and their cloud applications. To that, ZTNA is adding a new security layer that extends SASE benefits to more users, located anywhere, using any device.
As the ZTNA mantra “never trust, always verify” goes, the technology starts with a “hide-all – deny-all – access” posture: Where legacy VPNs extend the network to users, ZTNA hides it. Where applications are offered openly for access, ZTNA masks them entirely. Different ZTNA solutions might support network access, identity access, application access, data access, and more. This control happens all based on policies, a great number of factors and contextual data which enables you to group your users into what access they're granted (when, from where, to what). Salespeople, HR, finance, engineering, operations, and so on will have both shared and separate access policies, so you decide precisely how you want to protect your environment. And this granular control is not a one-off action – ZTNA continuously authenticates, authorizes, and assesses access.
As fantastic as it sounds, Paul relayed that this level of control includes a lot of initial configurations. The good news is you have partners out there who bring you expertise, know-how and ready-to-use libraries with existing policies you can leverage to define specific access. Working with a suitable partner will also help you avoid high DIY infrastructure and staffing costs.
However, there might be several considerations when evaluating a ZTNA partner:
- As ZTNA is a part of SASE, find a partner that gives you the SASE components with the option to add ZTNA on top.
- How deep is your potential partner’s expertise and integration with other security technologies, for example EDR (Endpoint Security), MDR (Security Operations support) and so on?
- Make sure you know exactly how much service really comes with the ZTNA solution. Look for:
- A single interface to manage access control
- Smart routing
- NOC and SOC support staffed with L3 experts
So, is there one technology “to rule them all”? Hardly.
ZTNA is only one aspect of a complete security posture. But the connective tissue between your various security solutions – from connectivity with SASE to AI-supported threat detection with MDR – is stronger when they are deeply enmeshed, providing you transparency, improved reaction time and opportunities.
Paul’s Hot Tips
Quick steps you can take with a Microsoft environment to keep it secure.
- User Containment - Place users into groups and limit their access to only what they need and nothing more.
- Device Containment - Take advantage of APIs to block unauthorized or poorly secured devices from entering and probing your network for weaknesses.
- Data Containment – Leverage E5 data protection capabilities or block access and movement of sensitive data using CASB tools.
- Conditional Access - Limit the actions a user can perform based on the degree of authentication available at the time.