Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

The Need for Resilient Zero Trust

Making Zero Trust resilient

It is essential to ensure that any Zero Trust technology used is resilient to external factors

Making Zero Trust resilient

It is essential to ensure that any Zero Trust technology used is resilient to external factors

The growing threat of cyberattacks like SolarWinds, JBS USA, and Colonial Pipeline has underscored that organizations can no longer depend on conventional perimeter-based defenses to protect critical systems and data. The Log4j vulnerability is the latest sign that organizations must assume that cyber adversaries are already in their network. Against the backdrop of these high-profile incidents and growing concerns of retaliatory cyberattacks by Russia following its invasion of Ukraine, legislators have stepped up their efforts to bolster resilience and response capabilities against these threats (e.g., U.S. Cyber Incident Reporting for Critical Infrastructure Act, European Union Rules for Common Cybersecurity and Information Security Measures).

New regulations are aimed at shifting the cybersecurity paradigm – away from the old mantra of “trust but verify” and instead toward a Zero Trust approach, whereby access to applications and data is denied by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.

A good example is the federal strategy that the Office of Management and Budget (OMB) released earlier this year. The strategy details a series of specific security goals for agencies, serving as a blueprint for shifting the federal government to a new cybersecurity paradigm – namely Zero Trust – that intends to help protect our nation. The strategy requires agencies to achieve specific Zero Trust goals by the end of fiscal year 2024 and aligns closely with the Cybersecurity and Infrastructure Agency’s Zero Trust Maturity Model (PDF) and its five complementary areas of effort:

Identity: Staff use enterprise-managed identities to access work applications. Phishing-resistant multi-factor authentication (MFA) protects personnel from sophisticated online attacks.

• Devices: Establish a complete inventory of every device operated and authorized for government use. Prevent, detect, and respond to incidents on those devices.

• Networks: Encrypt all DNS requests and HTTP traffic within the environment and begin executing a plan to break down perimeters into isolated environments.

• Applications and Workloads: Treat all applications as Internet-connected, routinely subject applications to rigorous empirical testing, and monitor external vulnerability reports.

Advertisement. Scroll to continue reading.

• Data: Deploy protections that make use of thorough data categorization. Take advantage of cloud security services to monitor access to sensitive data and implement enterprise-wide logging and information sharing.

Where the Rubber Meets the Road

As with other cybersecurity frameworks, it is important to note that these standards and requirements are focused solely on strengthening federal government systems. However, much of our nation’s critical infrastructure is owned and operated by the private sector, and those organizations make their own decisions regarding cybersecurity investments.

However, the biggest shortcoming lies in the fact that OMB’s federal strategy misjudges the efficacy of Zero Trust technology. Unfortunately, post-mortem analysis of cyberattacks often reveals that the tools and software meant to protect against incidents are frequently impacted by faulty implementation, software collision, human errors, normal decay, and malicious actions. In fact, most hacks entail reconnaissance and disabling or bypassing any security controls.

Therefore, it becomes essential to ensure that any Zero Trust technology used is resilient to external factors.

Resilient Zero Trust is Better than Zero Trust

Zero Trust technology, and the range of threats to which those tools are susceptible, varies depending on the context in which cyber resilience is sought. In any situation, the priority an organization assigns to establishing cyber resilience measures across Zero Trust technologies should be driven by an assessment of the tactics, techniques, and procedures (so-called TTPs) that hackers are commonly applying when exploiting their victims.

For instance, endpoints are often used as an access point for hackers and cybercriminals to launch attacks or function as beachheads to laterally move within the network. In fact, a recent Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months. Despite widespread attempts to secure endpoints, this number suggests that security has been rapidly eroding and therefore requires endpoint resilience, which is just one of the “flavors” that cyber resilience can assume. Endpoint resilience enables organizations to always know where their endpoints are, implement control and security actions on those devices, and have the ability to repair themselves whenever they’re disabled, altered, or otherwise compromised. 

Cyber resilience strategies like endpoint resilience provide a range of benefits prior, during, and after a cyberattack. Some of the main benefits include:

• Hardened Security Posture: Cyber resilience not only helps with responding to and surviving an attack. It can also help an organization develop strategies to improve IT governance, improve security across critical assets, expand data protection efforts, and minimize human error.

• Improved Compliance Posture: Many industry standards, government regulations, and data privacy laws nowadays propagate cyber resilience.

• Enhanced IT Productivity: One of the understated benefits of cyber resilience is that it improves the daily operations of an organization’s IT team. It improves the ability to respond to threats, assists in the recovery efforts, and helps to ensure day-to-day operations run smoothly.

Considering these benefits, more and more cyber risk and security management frameworks are adopting the concept of cyber resilience. For example, the Department of Homeland Security’s Cyber Resilience Review (CRR) offers guidance on how to evaluate an organization’s operational resilience and cybersecurity practices. Another example is the National Institute of Standards and Technology (NIST) Special Publication 800-160 Volume 2, which offers a framework for engineering secure and reliable systems—treating adverse cyber events as both resilience and security issues.

Ultimately, cyber resilience is the only way to guarantee true Zero Trust. When implemented properly, resilient Zero Trust becomes a preventive measure that counteracts human error, malicious actions, and decayed, insecure software.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet