Attacks/Breaches
1/10/2017
10:30 AM
John Kindervag
John Kindervag
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

'Zero Trust': The Way Forward in Cybersecurity

This approach to network design can cut the chance of a breach.

Data breaches are all over the news. Yahoo admitted that at least 500 million user accounts were affected by a 2014 cybersecurity breach. The 2016 election season was filled with revelations gleaned from stolen emails. The Justice Department, Internal Revenue Service, the US Navy, and Snapchat all suffered breaches in 2016. The list seems endless. Most significant, however, were the 2015 breaches of the Office of Personnel Management (OPM), which experienced two separate cybersecurity incidents that resulted in stolen personnel files of almost 22 million people who had undergone background investigations.

While the technology and government sectors have endured arguably the largest breaches we've seen in recent history, other businesses aren't excluded from these security disasters. In fact, 15% of global businesses estimate their company's sensitive data was potentially compromised or breached over a 12-month period, according to Forrester data. This number may be low, however, as companies traditionally do not publicly report breaches if they can avoid it. Some breaches, such as at Target, get reported in the media and then the company must acknowledge the breach. Also, new SEC rules requiring a data breach report if the breach may have material impact on the stock price has revealed other breaches that might otherwise have flown under the radar. With breaches on the rise, how can today's security professionals transition from a reactive method of security to one that proactively identifies and eliminates threats?

In the wake of the OPM breach, the US House of Representatives Committee on Oversight and Government Reform issued a report containing a formal recommendation that federal agencies should adopt the Zero Trust Model of Cybersecurity, which centers on the belief that both internal and external networks cannot be trusted. "Zero Trust," a widely accepted term originally coined by Forrester, is a data-centric network design that puts micro-perimeters around specific data or assets so that more-granular rules can be enforced. Zero Trust networks solve the "flat network" problem that helps attackers move undetected inside corporate networks so they can find and exfiltrate sensitive data The shift to Zero Trust is applicable across all industries — from government to retail, healthcare, and everything in between. Here are five steps to get companies started on the path to Zero Trust. 

  1. Identify Your Sensitive Data: This may seem simple, but it's more challenging than you might think. It's impossible to protect data that you can't see. If you don't know where your enterprise stores data, who specifically uses it, how sensitive it is, or how employees, partners, and customers use it, then you're putting your organization at risk. Before investing in security controls, companies must identify the data to protect. Once data is identified, it's necessary to make the data classification useful, and simplification is key.
  2. Map the Data Flows of Your Sensitive Data: It's crucial to understand how data flows across the network and between users and resources. Engaging multiple stakeholders such as application and network architects to create a transaction flow map is important because they bring different information to the conversation. Additionally, security teams should streamline their flow diagrams by leveraging existing models. For example, the Payment Card Industry Data Security Standard requires organizations to create data flow diagrams to help them fully understand all cardholder data flows, and ensure that they're effective in securing the cardholder data environment.
  3. Architect Your Network: The actual design of a Zero Trust network should be based on how transactions flow across a network and how users and applications access toxic data. With an optimized flow in mind, it's time to identify where microperimeters should be placed and segmented with physical or virtual appliances. For example, in a network where the compute environment is physical, the segmentation gateway usually will be physical as well. But if you've decided to adopt a highly virtualized compute environment, you may want to use a virtual segmentation gateway. 
  4. Create Your Automated Rule Base: Once the design team has determined the optimum traffic flow, the next step is to determine how to enforce access control and inspection policies at the segmentation gateway. One key principle of Zero Trust is that security pros must limit access on a need-to-know basis and strictly enforce this access control. To define these rules, the design team must have a detailed understanding of which users have access to which data. It's no longer enough to know the source address, destination address, port, and protocol. Security teams need to understand the asserted user identity as well as the application, which will often serve as a proxy for the data type in the modern segmentation gateway.
  5. Continuously Monitor the Ecosystem: Another core tenet of the Zero Trust model is to log and inspect all traffic, not just external traffic, for both malicious activity and areas of improvement. In the old broken-trust model, traffic was logged only if it came primarily from the Internet and hit edge devices. The syslog protocol would then be used to capture information that would be analyzed in a security information management tool. However, that method doesn't provide enough context to make good security decisions — internal traffic must be held to the same standards. This is accomplished because a Zero Trust network is designed so that the segmentation gateway can send all of the data flowing through it, including traffic destined for both internal and external network segments, to a security analytics tool for closer inspection.

In today's threat landscape, skilled, well-funded, organized cybercriminals are constantly working to steal vital information from businesses. Where today's security approaches fail to protect data, Zero Trust is the best, most modern way to keep your network secure.

Related Content:

John Kindervag is VP and principal analyst at Forrester, serving security and risk professionals. With more than 25 years of high tech experience, John is best known for creating the "Zero Trust" model of information security. He currently advises both public and private ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Suberman99
50%
50%
Suberman99,
User Rank: Apprentice
1/25/2017 | 1:48:20 PM
Re: Nothing new except the name
Cool sounding maybe but, not many companies adhere to anything but perimeter security, including fortune 1000.

How many IT staffs/managers adhere to LAN segmentation or data center east/west, north/south security.  I'm not just talking about allowing a few ports like 443, 80,8080,25,53 etc.  Bad stuff rides on these ports as well because threat actors know they are most likely to be open.  Zero trust is about knowing the precise application regardless of port or protocol as well as connecting a username to that session.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/25/2017 | 10:37:14 AM
Re: Nothing new except the name
Our management has fallen in love with "Cyber kill chain" as if it has value.  Same deal, put a cool sounding name on the same stuff security has been recommending for a decade and all of a sudden theypay attention.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/14/2017 | 2:44:11 PM
Nothing new except the name
This strategy is what top cybersecurity experts have recommended for years.  Few listened.

The only difference now is that, as of sometime in the last year+, somebody came up with a catchy name ("Zero Trust") for it.

I guess buzzterms have their place.
Shantaram
0%
100%
Shantaram,
User Rank: Strategist
1/13/2017 | 6:21:53 AM
Re: 192.168.0.1
Cool! i like it!
netwatcher
50%
50%
netwatcher,
User Rank: Apprentice
1/12/2017 | 3:25:21 PM
Re: Isn't this what we were supposed to be doing all along?
some reasons why...
  • Executive is not aware of the risks – "We have a firewall and anti-virus so I think we are covered..."headinsand
  • Executive has bad information – "Hackers only attack the big companies, what would they want from us?"
  • Executive is a risk taker – "I'll take the risk, the probability for us getting attacked is low."
  • Executive is cheap – "No ROI means no priority."
  • Executive doesn't believe investment in security is worth it – "The loss involved will be so small compared to our revenues. It's easier to take a chance and write off any losses should they occur."
  • Executive is overwhelmed by the size of the necessary investment required to add additional security measures – "We can't afford Fire Eye, IBM, HP, Palo Alto etc.. those tools are only affordable to the fortune 1000"
  • Executive believes they are covered when they are not – "Our POS (or EMR) vendor is responsible for our security not us..."
  • Executive doesn't believe any investment will have much of an impact – "Big companies have all the tools and they are still getting hacked."
ClarenceR927
100%
0%
ClarenceR927,
User Rank: Strategist
1/12/2017 | 9:10:58 AM
Isn't this what we were supposed to be doing all along?
Seriously, how far removed from the real world is IT/CISO management that this concept needs to be explained to them?  This exact structure has been undersood and recommeneded for at least 25 years.  The more important article would be one that examines the excuses, roadblocks and technical challenges that have prevented people from actually making it happen.
DamnDesert
50%
50%
DamnDesert,
User Rank: Apprentice
1/10/2017 | 10:47:06 PM
If only it were that simple
If it were just up to cybersecurity to get it done it would be so simple. I've spent 5 years trying to get the company I'm at to get such controls in place to government requirements SP-800-53 for a contract we have. I the end it takes executive buy in, available Capex/Opex budget, priority from other IT departments, and patience for needed downtime for many of the changes that need to take place. No small task, needed yes, getting people to understand it's a high priority is a whole other challenge.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.