Story image

Organisations need to adopt a zero-trust approach

By Shannon Williams, Tue 19 Jan 2016
FYI, this story is more than a year old

Organisations need to change their attitudes when it comes to network security, and must acquire a zero trust approach to prevent disruption inside corporate networks.

That’s according to UXC Saltbush, who says new innovations are creating more opportunities for cyber criminals to get inside an organisation’s network.

“Managing information security for corporate networks has always been difficult,” says Clem Colman, principal consultant at UXC Saltbush.

“However, the ability to meaningfully inspect traffic coming in and out of the network isn’t keeping up with the threats. Innovations including web, digital, and cloud have accelerated the problem, giving cyber criminals new opportunities to attack,” he says.

“The other problem is that users no longer want to live inside the corporate network (the fortress, if you will); they want to access enterprise information and systems from wherever they are using whatever device they have on hand,” Colman explains.

“Also, the assets organisations are charged with protecting are also rapidly decamping beyond the castle gates into the cloud,” he says. “The battleground has moved and the challenge now is making sure organisations have the right capabilities in the right places for the next round.”

This challenge to deliver services securely anywhere and anytime means organisations need to decouple network security from network topology,” says Colman.

“In other words, the ability to protect assets, information, and users can no longer be contingent on them living inside the fortress; the protection needs to go with them to wherever they want to be or where market forces increasingly dictate they need to be.”

According to Colman, the first part of addressing this change is to avoid thinking of networks as being divided into trusted, untrusted, and semi-trusted.

“While such terminology isn’t entirely without value, those labels can lead to dangerous assumptions,” he says.

“For example, when a system in the trusted part of the network is compromised it can potentially leverage this trust to attack its neighbours. What’s more, it can usually do so without fear of being detected by the corporate defences, because they’re mostly focused on the boundary between trusted and untrusted parts of the network,” Colman explains.

“A conceptual model to help organisations understand how to address this challenge is the Zero Trust Network,” he says.

The premise of Zero Trust is that trust shouldn’t be assumed between network actors regardless of location. It follows that protection should be applied to the smallest indivisible network actors such as laptops, smartphones, servers, desktops, and storage.

“Zero Trust gives organisations a model for addressing the existing security challenges within the fortress: you can’t trust your neighbours just because they live in the trusted zone of the network,” Colman explains.  

“Zero Trust also gives us a model for dealing with users and systems that live outside the fortress because its fundamental principle has universal applicability: every network participant needs to protect itself,” he says.

According to Colman, pressure from cloud, mobile workforces, and the changing nature of corporate networks is going to disrupt much of the existing, fortress-based approach to information security.

But the reality is, those defences have been crumbling for years, he says.

“Many IT security experts are responding by either trying to extend the fortress, or build more fortresses, and that strategy will remain valid in certain situations,” Colman explains.

“But Zero Trust offers organisations a model for consideration that treats the shortcomings of current security models and, equally importantly, positions them to support the likely future state of corporate networks.”

Recent stories
More stories