Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/20/2020
10:00 AM
Dan Blum
Dan Blum
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Is Zero Trust the Best Answer to the COVID-19 Lockdown?

Enterprises need to recognize that remote access and other pandemic-related security challenges cannot be fixed with buzzwords or silver-bullet security tools.

As businesses operate under the COVID-19 shutdown, they undergo forced digitalization. Many people are teleworking, exponentially expanding remote access loads. Organizations also experience disruption to the supply chain, business continuity/disaster recovery (BC/DR) issues, and ramped-up cyberattacks. How well they are able to navigate the new abnormal depends on where they fall in the network security continuum between a relatively closed or relatively open "zero-trust" environment.

Figure 1 above illustrates three network security scenarios:

  • Relatively closed prepandemic IT environment with main security zones of trust. Users may be strongly authenticated by the VPN, but internally to the network both users and services tend to be trusted with minimal (e.g., password-based only) authentication.
  • Relatively open IT environment with no VPN and minimal perimeter layers. All access to applications and services gets strongly authenticated via services such as Google Authenticator or cryptographic mechanisms.
  • Hybrid environment including elements of both the relatively open and relatively closed models.

Expanding Remote Access
Businesses that had robust remote access and/or cloud security strategies before COVID-19 have found it relatively easy to ramp up teleworking. They can run many business applications as is and open up access rapidly to many others. During one of the interviews I conducted for my 
upcoming book, Rational Cybersecurity for Business — after the COVID-19 shutdown — a chief information security officer (CISO) from an asset management firm told me:

We'd done a tabletop exercise two and a half years ago to uncover weaknesses in remote working and fix them. This exercise was focused on the potential requirement to evacuate offices and keep the business running in the event of an active shooter scenario. We needed to define:

  • How do we communicate?
  • What critical systems would we need?
  • Would team members have the equipment required to work at home? (We even looked at seemingly minor issues, such as whether users have headsets.)

Architecturally, we had to make security decisions about which systems, or security zones, to keep behind the VPN and which to make accessible through the Internet. We implemented a zero-trust architecture and started to move some applications to the cloud. That really helped reduce the load on the VPN.

Although COVID-19 has been a completely different scenario, the remote access challenges are similar. Being prepared in advance has made the disruption much less painful for us.

It's Never Too Late, but…
Other businesses, whose time to prepare in advance has passed, must set themselves realistic expectations. If staff predominantly worked from the office on desktops before the lockdown, organizations may lack the budget and infrastructure capacity to swiftly roll out notebook computers to everyone. Such businesses will need to start, formalize, or expand a bring-your-own-device (BYOD) program as well as a remote access expansion project. Otherwise, they'll be opening up business applications to potentially compromised home devices. It's also important to adapt network architecture to this new way of working.

Look at the use cases below to determine which systems can be exposed to BYOD, remote access, and Web access. 

Zero Trust Is Not Always the Answer
In its most simple description, the zero-trust security architecture holds that all network access should be appropriately authenticated and that the access must never be granted based on device network location alone (i.e., being inside a "trusted zone"). With a capability for strong authentication in place, one can — in theory — safely take down some of the perimeter layers in the relatively closed scenario from Figure 1.

However, zero trust isn't suitable for use cases where staff are working on home computers absent an effective BYOD program that may include endpoint health checks, user awareness training, corporate-provided endpoint security software, and legal agreements. It isn't appropriate when the target applications or systems cannot defend against cyberattackers attempting to exploit direct access. When applications haven't been hardened or isolated commensurate to the risk they create, exposing them to direct Internet access is unwise.

By analyzing use cases similarly to what we see in Figure 2 rather than attempting to force-fit VPNs, zero trust, or any other one-size-fits-all approach, a company could do the following:

  • Start to get its feet wet with zero-trust access to lower risk assets
  • Use selected groups of staff members to pilot BYOD solutions in return for higher levels of access to employee intranet informational applications
  • Load up the VPN only with applications, such as the call center, that pose more risk
  • Augment or replace the VPN with solutions better suited to the highest risk use cases, such as privileged account management (PAM) tools

Although the zero-trust principles may seem suited to the challenges of our time, proceed with caution. Even Google's BeyondCorp initiative — a poster child for zero trust — took two to three years and a major investment to accomplish. Enterprises just starting now need to recognize that remote access and other COVID-19 security challenges cannot be fixed with buzzwords or silver-bullet security tools. Instead, they demand a risk-based focus and careful attention to network security and identity and access management (IAM) architecture.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Biometrics in the Great Beyond."

Dan Blum is an internationally recognized strategist in cybersecurity and risk management. His forthcoming book is "Rational Cybersecurity for Business." Dan was a Golden Quill award winning vice president and distinguished analyst at Gartner, Inc. He has served as the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
fazzael
100%
0%
fazzael,
User Rank: Strategist
5/25/2020 | 12:08:25 AM
Nice Insight
COVID-19 surely has pushed many company for teleworking. And as this article point out, it can cause system security problem. While zero trust do show promise but company must also understand the challenges that can be arise in its implementation. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20811
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
CVE-2019-20812
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
CVE-2020-13776
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
CVE-2019-20810
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
CVE-2020-4026
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...