Businesses today rely heavily on greater connectedness to grow their customer base and expand their market share. To achieve this, enterprise networks should be capable of connecting with customers, partners, stakeholders, vendors, and third-party distributors across geographies via a variety of devices. This poses a serious security risk since it’s impossible to determine the intent of every single endpoint, machine, and application that is connecting to the network.
To counter this challenge, businesses are beginning to consider a ‘zero trust’ approach – trust no connection unless they have been explicitly allowed. The zero-trust security concept paves the way to proactively secure workloads, application environments, users and endpoints against internal and external threat actors. Though this is a fairly new concept for businesses that have relied mostly on perimeter security solutions, the dynamic landscape in which they operate today has many strong drivers for zero trust security adoption.
Move to the Cloud
Applications are moving out of ‘secure’ private data centres and on to the cloud. The pace at which they are moving out is very rapid. According to the Right Scale State of the Cloud Survey 2017, a whopping 79% of company workload is run on the cloud, with 41 % on public cloud and 38% on private cloud.
What does this mean for security? For starters, 41% of the workload is already outside the company’s secure perimeter. This means that apps, data, users, and devices are moving out of the enterprise’s fortifications, and securing them needs a new security paradigm. The old concept of trusting everything inside the perimeter, even assuming it was ever secure, suddenly becomes inapplicable because large portions of enterprise resources now reside outside the fortifications.
Here is where Zero Trust comes in. The rate at which resources are moving out to the cloud is one of the largest business drivers of zero trust.
Digital Transformation: Another Prime Mover of Zero Trust
The digitization of all aspects of business is gathering pace. Everything from customer management to inventory management is going digital. IDC estimates that by end of 2018, spending on Digital Transformation will hit 1.2 Trillion USD. With that sort of investment, the pace of transformation will be very rapid, and that in turn will put stress on the digital infrastructure, including the processes and systems which secure the digital infrastructure. With a larger and more exposed infrastructure, the attack surface will grow exponentially too. Securing this infrastructure will tax the ingenuity of security professionals and calls for a completely different approach to security – enter Zero-Trust!
Diminishing Perimeter Security
As mentioned earlier, the perimeter is of limited efficacy when nearly half of the workload (and increasing) is residing outside it. Not only do critical assets like data and devices now reside outside the fortified perimeter, but workers are increasingly accessing these resources from outside the perimeter. A study by IWG revealed that 70% of the workforce globally access company resources from outside the perimeter at least once a week.
While this does not mean that the perimeter is dead, perimeter-based defences certainly are inadequate in the scary new world. Securing the network infrastructure via ports and protocols and imposing a level of trust on the network no longer works. Security should move up to the application layer. As digital transformation gathers pace, companies are increasing their digital interactions with their partners, vendors, suppliers, and subsidiaries, further loosening the tight perimeter control that existed before. This further increases the attack surface.
Increasing Sophistication of Attacks
Coupled with the weakening of the perimeter and a huge increase in the attack surface, there is another serious threat that is a business driver for Zero Trust: an increasingly sophisticated malware ecosystem. Malware is now being delivered via the network in addition to the traditional vehicles of drive-by, email-borne, and media-borne malware. Wannacry and NotPetya, for instance, were self-propagating and all they needed was an unpatched computer. The scale and sophistication of these attacks mean that they can persist for several years.
The worming ability of these self-propagating malware along with their long persistence cycle in organization computers needs a granular level of segmentation to contain them.
Malware have evolved to evade sandboxes, exhibiting benign behaviour is sandboxes by a variety of evasion techniques. For example, there is ‘split’ malware, with each individual executable behaving normally when tested individually, but turning into malware when combined. Another example is the ‘document_close’ triggered macros, which evade sandboxes because sandboxes seldom test what happens when a document is closed, and this variety of malware use the document_close event to trigger themselves.
Malware are increasingly using encrypted and legitimate channels like Drobox as their command and control channels (C&C), and it is greatly hampering security professionals’ ability to detect and neutralize C&C systems of malware.
The use of cryptography in C&C calls for a high level of visibility, analytics, artificial intelligence and machine learning to detect malware communications. Micro-segmentation down to machine levels and even process levels may be required to assure a level of safety. This calls for a wholistic security solution encompassing user access control, device control, highly granular segmentation, deep vsibility and analytics, and in critical cases, even process lockdown if true zero trust security has to be achieved.
Arif Shouqi is the Vice President of Engineering at ColorTokens Inc, where he is responsible for driving innovation and product excellence. He is an engineering leader with over 29 years of deep experience in setting up and leading large engineering organizations. After 12 years of distinguished service in various arms of the Indian Air Force, he took on senior leadership roles with network security pioneers like CISCO, Ericsson, and Akamai Technologies. He uses his vast domain expertise to write on security, cloud, and networking technologies.