Who Can You Trust? Enterprise Security and Zero-Trust Approaches
CIO’s cite unauthorized network access as top concern.
In June, the Wall Street Journal asked Chief Information Officers (CIOs) across the globe what kept them up at night. All voiced concerns that the coronavirus has changed how we work, shop, and play, and consequently unveiled new network vulnerabilities. In an earlier blog post, we explored two of their top worries, along with strategies and solutions to ease their minds. Here, we look at another key concern – an ever-expanding “attack surface” – and provide insights into what CIOs should consider.
In the WSJ, Jim Routh, head of enterprise information risk management, at Massachusetts Mutual Life Insurance Co., described the issue well when he said, “My top concern is reduction of the attack surface for the enterprise—the combined points where an unauthorized user can try to enter or extract data from a company.” This attack surface, which he noted enterprises strive to keep as small as possible through basic security protocols, is increased when more employees are working from home.
But risk isn’t just a function of the number of users on the network. The Internet of Things (IoT) compounds the challenge. IoT includes all the smart devices or machines on a network, like thermostats, heat pumps, refrigerators, flood sensors, security cameras, healthcare equipment, wearables, emergency monitoring, and management tools, and so much more. Collectively, these users and IoT devices vastly increase the endpoints that add to this ever-expanding “attack surface.”
Enterprises must also factor the risks associated with the shift to a cloud environment, largely driven by Software as a Service (SaaS). Because SaaS gives customers access to their enterprise applications over the Internet, it greatly simplifies user access to enterprise resources and applications. Also, rather than having software hosted at a data center and installed across network devices, applications can be built, maintained, and updated more easily via the cloud. While SaaS provides flexibility and many other advantages, it increases the network attack surface since provider locations are not under enterprise control and are often widely distributed. That causes challenges for existing or legacy network protections to provide adequate security coverage.
Creating a Circle of Trust
So, what’s an enterprise to do? Jeff Bradbury, senior marketing director at Hughes North America, said one approach is to create trust levels within the security environment. By understanding how attack surfaces keep growing, and what users need access to which resources and tools, organizations can deploy protections based on the sensitivity of the data and the users who need access to it. More sensitive resources and data are more highly protected, with fewer users and systems given access to it, and less sensitive items can use more standard protections and can be opened to more users and systems accessing it. By limiting the “attack vectors” into the protected enclaves and monitoring user access to those areas, IT security teams reduce the pathways for unauthorized access to their computer devices or networks, and limit potential attacker’s ability to exploit system vulnerabilities. Deploying protection processes in this way creates a layered approach to security, with the last layer at the heart of the enterprise system having the greatest level of protection.
One example is using an identity-based approach for system access that can be set by type of device, including IoT and mobile devices. This includes being able to limit access to only approved devices and setting roles for “non-human” users, for those networks involving machine-to-machine connectivity requiring little to no human input.
“Endpoints that interact with various network resources and SaaS applications are authenticated and secured within the context of that access or communication request, typically a user id and password or some system generated access code” he explained. One challenge with this traditional approach is that once the endpoint is authenticated, full access is allowed until that endpoint ends the authenticated session, opening a potential threat vector. These requests can be further validated and secured based on other parameters, such as enterprise policies for governance, geo location, and time of day. In a similar approach, but taking it another step forward, is the “zero trust” model that verifies every access request before permission is granted, no matter where that request comes from.
These approaches vary from the more typical process in which any authenticated device “inside” the network is deemed to be a trusted device. With today’s remote workforce, where few people are working “inside” the network, identity-based or zero trust models are a more effective option for safeguarding the network.
Expanding Your Circle of Trust
Mr. Bradbury noted that one rarely discussed risk to network security is the issue of partner and third-party system access. “Many enterprises allow system access to their business providers and teaming partners, without realizing that this too expands the attack surface and makes their network system more vulnerable. If you provide unfettered access to your network, you are trusting that their network is as secure as yours is.”
That’s a big leap of faith. Yet Mr. Bradbury finds enterprises provide access to all sorts of people and businesses, without confirming that those entities are keeping security patches and configurations updated.
“Some of the biggest cyber hacks have occurred from third-party cloud services platforms that didn’t properly install a patch, enabling hackers to get inside the data system or loyalty program to steal customer information,” he said.
Mr. Bradbury’s advice is to ask yourself, “Do all these partners need to be in my circle of trust?” If they do, decide whether they need full access to the entire network or whether you can provide them with isolated access to certain subsystems. Another option is to provide time-based access, giving them the ability to use network resources at certain times of the month or quarter, then closing their access down at other times. As new partners and technologies are added to the trusted environment, consider how you will grant access and tightly manage risk levels.
Given attack surfaces will only continue to expand, it’s reassuring to know these strategies are well-suited for a dynamic network environment and can help you decide who to trust – regardless of what may change.