Five key steps to a zero trust network infrastructure
In the world of cybersecurity, the Zero Trust concept, where devices are never trusted by default and always verified, is not new. However, Zero Trust is more relevant than ever for organisations in Australia as the evolving digital landscape creates an environment for increasing cyber threats.
The Zero Trust approach requires devices to be verified even if they have previously been granted permission on a network. We now connect more devices using the Internet of Things (IoT) than ever before in both personal and professional settings. Generally, IoT equipment is designed to provide a single service in a very efficient manner — which, unfortunately, means security is not always a priority. This lack of built-in security makes the devices vulnerable to attacks, creating a potential route into the entire organisation's network.
According to a recent study, while more than 80% of Australian organisations recognise that Zero Trust needs an increased focus, most companies are still prioritising users (54%) rather than devices (24%) or the network (17%) when implementing Zero Trust security. With supply chain attacks on the rise, businesses and organisations will have to do better as they continue their digital transformation journeys. They will need to prioritise cybersecurity in their network infrastructure strategies as connected devices, and IoT play increasingly significant roles in their overall technology stack.
Zero Trust – the basics
Network segmentation is a key Zero Trust principle. By separating network elements, the attack surface for a compromised device can be reduced, lateral movements on the network can be limited, and other connected systems can be spared.
Historically, organisations have been protected by the perimeter firewall, together with physical access such as building security, so the boundary of trust was closely aligned physically and implicitly. What was inside was protected from the outside. However, with the rapid adoption of IoT technology, the integrated supply chain, shared sourcing models and work-from-anywhere, the boundary of trust is increasingly fractured. With ever-greater cyber risks on the horizon, this approach needs to evolve.
In the case of the Zero Trust concept, trust is dynamic and no longer assumed — even within the network. Instead, the structure assumes there are already attackers present in the system. The first step is network access control (NAC) — identifying objects and authenticating connected users. The first level of macro-segmentation is set up based on these factors and filters traffic using a firewall between different classes of objects and users. For example, you could isolate surveillance cameras and building management sensors.
From there, the second level of filtering is within a segment and is based on identification. This second step makes it possible to refine and achieve micro-segmentation, such as preventing surveillance cameras from communicating with each other within the same network segment and only allowing traffic to the network video recorder (NVR).
The benefits of Zero Trust
With an intelligent mix of micro and macro-segmentation, the Zero Trust approach builds a restricted and mobile security perimeter around each user and object. An organisation can then manage the NAC, define different authorisations and secure and contain threats through a strong security policy. It is also essential that organisations assume systems have been breached, monitor for incursions and have effective response strategies — an approach promoted within the Australian Cyber Security Principles.
Cyberattacks are now inevitable, with organisations facing potentially substantial reputational and financial damages. Recent high-profile data breaches in Australia, including the Optus and Medibank breaches, have exposed millions of customer records, including personally identifiable information (PII) and sensitive personal health data. Both companies are now facing class action lawsuits and have publicly quoted exposure costs of AUD $140M and $45M, respectively. By requiring identification and authentication of each device and user before allowing network access, network segmentation greatly restricts the range and spread of an attack.
Five Steps to Zero Trust
Building a Zero Trust network from scratch is not too complex. However, because most organisations already have existing infrastructure, the challenge becomes ensuring a harmonious approach and effective integration between brownfield and greenfield networks and security elements to meet the organisation's needs while securing it from attacks.
Following is a five-step approach to adopting a Zero Trust approach to network security:
1. Monitor: Identify all equipment, peripherals and connected devices (from the tablet to the Wi-Fi vacuum cleaner) and authenticate all employees that have access to the network. An object inventory is created and populated automatically.
2. Validate: Review all connected devices and assess what access is currently granted versus what is actually required. Apply the principle of least privilege: Granting the minimum permissions required to perform a task. If the existing network shows non-compliant equipment, implement a restoration or remediation plan.
3. Plan: Based on the knowledge of devices, workflow and traffic generated, transform this data into a security policy that intelligently combines macro-segmentation (input/output control) and micro-segmentation (fine-grained security rules).
4. Simulate: Apply in-parallel identification, authentication and security policy in "fail open" mode: All equipment will be authorised, and network behaviour will be logged and indexed to set up authorisation schemes and an adapted network security policy. This critical step refines the security policy while ensuring normal activity is not impacted.
5. Enforce: In this final step "fail open" becomes "fail close": Authentication failures are not tolerated; all unreferenced users or devices are refused, and all illegitimate flows are stopped. Network monitoring is continual to verify that all devices are identified. Users are authenticated to be authorised on the network or can be quarantined while security checks take place.
Humans are often the weakest link in organisational cybersecurity, and according to Forrester, the APAC region remains the most frequently targeted region globally. So, the imperative to continually verify, enforce, and, more importantly, detect and respond swiftly when a breach is detected is more critical than ever.
Zero Trust is both an authentication strategy and a consistent security policy across the network infrastructure, implemented in line with the needs of users and connected technologies. In an increasingly complex and connected world, the Zero Trust approach is the most likely strategy to safeguard your network and protect your business users and assets.