In a changing networking environment, (zero) trust is key

In response to the COVID-19 pandemic, many organisations are rushing to deploy remote workforces.  While necessary, this poses a range of new cybersecurity risks as businesses drastically expand their attack surface.

Most business networks are built on the foundation of a traditional network perimeter.  They block external access and open specific pinholes where necessary, but trust anything internal.  Once credentials are validated, they are more or less provided with unrestricted access to IT resources.

In a rapid network expansion, this approach is problematic.  How can you be sure that connected users and devices are trustworthy?  As businesses respond to unprecedented demand in remote working, it is more important than ever they deploy a ‘Zero Trust’ network architecture. 

The trouble with trust

As a business, you open your doors (or your network) to an array of people.  You are proud of your products and services and want to show them off and make them easily accessible to those who need them – and rightly so.  This helps build brand awareness and confidence in your infrastructure and capabilities, driving sales and service adoption.  But while an open and trusting nature is beneficial for your business, it also brings significant risk from a security perspective.

The traditional network perimeter – where networks block external access by default, open specific pinholes for authorised access and apply trust to anything internal – essentially provides unrestricted access to IT resources once credentials are validated.

The risks in being open for business

The fundamental flaw with this approach is certainty – how can you be sure that connected users and devices are trustworthy?  Under the current circumstances, most – if not all – employees will be connecting to the organisation from their “home office”, while deploying a range of remote collaboration and communication tools, often independently of their organisation’s IT department.  These are not subject to the same due diligence and testing that would normally be undertaken and security remains outside of the organisation’s control. 

Consider if a rogue visitor located and connected to a network point in an employee’s “home office”, or discovered their WiFi password, could they obtain full corporate network access?  Would you be aware this occurred?  What if they left this device connected for monitoring, remote access or data exfiltration purposes? 

Sectors such as retail, high-street banking, healthcare and housing are some of the most vulnerable – with public access a core requirement for service availability or business success – but with the explosion in remote working in recent months, this is becoming a very real risk for businesses across all industries.

A rise in phishing attacks

One of the most compelling risks in this situation is the drastic rise in phishing attacks.  A recent joint advisory from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned of a huge rise in COVID-19 related cyber attacks, many of which came in the form of phishing scams.  Indeed, in the UK, the NCSC detected more UK government branded scams relating to COVID-19 than any other subject. 

Malicious actors often launch targeted phishing and social engineering attacks against company employees and this risk is significantly increased with employees working remotely.  In addition to emails purporting to offer government advice, all it takes is for one employee waiting for a Zoom initiation from the HR department to fall victim to a scam email and internal IT resources may become accessible to the perpetrators.  This leads to systems being accessed by unauthorised people, often using valid credentials and by legitimate means.

The solution – Zero Trust

As the attack surface for organisations deploying completely remote workforces increases – often for the first time and in a rushed way – deploying Zero Trust network architectures will minimise these risks and provide a dramatically more secure network. 

Originally created in 2010 by John Kindervag, then a principal analyst at Forrester Research, the Zero Trust concept states that – from a security perspective – an organisation should not automatically trust any user, device or credential, whether that is inside or outside the network perimeter.  Instead, the organisation should verify anything trying to connect to the network, and continue to verify inside the network.

Zero Trust uses four key principles: verify, segment, enforce and monitor.  In practice, this means:

1. Verify

When devices are connected, they should be placed in an isolated network with no access to any IT resources.  They should be held in this network until they have been profiled and validated.  This could incorporate checks for authorised operating systems, up-to-date anti-virus or corporate domain membership.  You should also authenticate the user on any devices to ensure they are in the right hands, implementing multi-factor authentication wherever possible.

2. Segment

Once devices are verified, they should be placed in the relevant network with appropriate segmentation.  Depending on users and devices, this could be based on organisational departments, user access requirements or device types.  You can also employ micro-segmentation or nano-segmentation for added security.  This allows you to restrict up to the level that devices are entirely isolated on a local network, only accessing outbound to strictly required applications or IT resources.

3. Enforce

Once devices are in the appropriate network, they should only have the minimum required outbound network access.  This should be enforced by internal Next Generation Firewalls (NGFW).  Enhanced security controls should also be applied, such as Intrusion Prevention and Detection (IPS/IDS) or network anti-virus, to prevent lateral attacks originating from compromised devices or malicious internal users.

4. Monitor

Continuous monitoring and profiling of devices should be implemented to detect changes to any users or devices once they have network access.  Devices can be crafted to appear legitimate until they have obtained access and can be compromised at any time.  User behaviour can also change based on emotional state and external influences.  Network access should therefore be removed if any suspect changes are detected.  Monitoring of log data is critical in this respect, so it is also vital to use a Security Incident and Event Management (SIEM) system for centralised correlation and analysis.  This enables faster detection and response if an incident does occur.

Reconsider your networking approach

Many businesses are too trusting when it comes to IT access, and in being so are low hanging fruit for potential attackers.  Being open for business is important, but this should not come at the cost of weak IT security controls.  Your network does not need to leave your business vulnerable.

By combining comprehensive Network Access Control (NAC), centralised authentication, internal segmentation firewalls (ISFW), User and Entity Behaviour Analytics (UEBA) and SIEM solutions, your organisation can still support a remote workforce while benefiting from a secure zero trust network architecture. 

Print Friendly, PDF & Email

Glenn is an experienced network architect and technology leader, specialising in networking, cloud, security and automation. He is an expert in emerging trends and the development of innovative and bespoke solutions. His knowledge and skill set have made him the lead on a wealth of complex and high-profile projects.

Leave a Reply

Your email address will not be published. Required fields are marked *