Story image

Organisations need to adopt a zero-trust approach

19 Jan 16

Organisations need to change their attitudes when it comes to network security, and must acquire a zero trust approach to prevent disruption inside corporate networks.

That’s according to UXC Saltbush, who says new innovations are creating more opportunities for cyber criminals to get inside an organisation’s network.

“Managing information security for corporate networks has always been difficult,” says Clem Colman, principal consultant at UXC Saltbush.

“However, the ability to meaningfully inspect traffic coming in and out of the network isn’t keeping up with the threats. Innovations including web, digital, and cloud have accelerated the problem, giving cyber criminals new opportunities to attack,” he says.

“The other problem is that users no longer want to live inside the corporate network (the fortress, if you will); they want to access enterprise information and systems from wherever they are using whatever device they have on hand,” Colman explains.

“Also, the assets organisations are charged with protecting are also rapidly decamping beyond the castle gates into the cloud,” he says. “The battleground has moved and the challenge now is making sure organisations have the right capabilities in the right places for the next round.”

This challenge to deliver services securely anywhere and anytime means organisations need to decouple network security from network topology,” says Colman.

“In other words, the ability to protect assets, information, and users can no longer be contingent on them living inside the fortress; the protection needs to go with them to wherever they want to be or where market forces increasingly dictate they need to be.”

According to Colman, the first part of addressing this change is to avoid thinking of networks as being divided into trusted, untrusted, and semi-trusted.

“While such terminology isn’t entirely without value, those labels can lead to dangerous assumptions,” he says.

“For example, when a system in the trusted part of the network is compromised it can potentially leverage this trust to attack its neighbours. What’s more, it can usually do so without fear of being detected by the corporate defences, because they’re mostly focused on the boundary between trusted and untrusted parts of the network,” Colman explains.

“A conceptual model to help organisations understand how to address this challenge is the Zero Trust Network,” he says.

The premise of Zero Trust is that trust shouldn’t be assumed between network actors regardless of location. It follows that protection should be applied to the smallest indivisible network actors such as laptops, smartphones, servers, desktops, and storage.

“Zero Trust gives organisations a model for addressing the existing security challenges within the fortress: you can’t trust your neighbours just because they live in the trusted zone of the network,” Colman explains.  

“Zero Trust also gives us a model for dealing with users and systems that live outside the fortress because its fundamental principle has universal applicability: every network participant needs to protect itself,” he says.

According to Colman, pressure from cloud, mobile workforces, and the changing nature of corporate networks is going to disrupt much of the existing, fortress-based approach to information security.

But the reality is, those defences have been crumbling for years, he says.

“Many IT security experts are responding by either trying to extend the fortress, or build more fortresses, and that strategy will remain valid in certain situations,” Colman explains.

“But Zero Trust offers organisations a model for consideration that treats the shortcomings of current security models and, equally importantly, positions them to support the likely future state of corporate networks.”

WatchGuard’s eight (terrifying) 2019 security predictions
The next evolution of ransomware, escalating nation-state attacks, biometric hacking, Wi-Fi protocol security, and Die Hard fiction becomes reality.
Why the adoption of SAP is growing among SMEs
Small and medium scale enterprises are emerging as lucrative end users for SAP.
Exclusive: How the separation of Amazon and AWS could affect the cloud market
"Amazon Web Services is one of the rare companies that can be a market leader but remain ruthlessly innovative and agile."
HPE extends cloud-based AI tool InfoSight to servers
HPE asserts it is a big deal as the system can drive down operating costs, plug disruptive performance gaps, and free up time to allow IT staff to innovate.
Digital Realty opens new AU data centre – and announces another one
On the day that Digital Realty cut the ribbon for its new Sydney data centre, it revealed that it will soon begin developing another one.
A roadmap to AI project success
Five keys preparation tasks, and eight implementation elements to keep in mind when developing and implementing an AI service.
The future of privacy: What comes after VPNs?
"75% of VPN users said they are seeking a better solution for cloud networks."
'Public cloud is not a panacea' - 91% of IT leaders want hybrid
Nutanix research suggests cloud interoperability and app mobility outrank cost and security for primary hybrid cloud benefits.