Cybersecurity’s new challenge: building easy-to-access Zero Trust Networks

By Amit Roy Choudhury

‘Verify and then allow access’ needs to be the mantra. But it should not impede the free flow of information for genuine users.

In today’s cybersecurity landscape, a well-defined perimeter on which legacy network security has been based no longer works. This is because traditional IT infrastructure, in which users access data and programmes from within the network boundary layer, is a thing of the past. In a mobile-first digitalised business landscape, cybersecurity professionals can no longer restrict access to the network to only known, trusted devices and credentials operating within a well-defined network boundary.

The modern network has become diffused. Employees, suppliers, and other stakeholders are accessing the network using a plethora of devices at all times of the day.

This has coincided with an exponential rise in the number and sophistication of cyberattacks that aim to take advantage of this new and emerging diffused network. Targeted threats such as advanced persistent threats (APTs), ransomware, phishing, and malware require a new approach to cybersecurity.

Out with the old, in with the new

Traditional network security layers, comprising firewalls and restricted access, are becoming obsolete. Chief information security officers (CISOs) are looking for new tools to deal with complex dynamic workloads that move seamlessly to and fro from data centres, multi-cloud environments, remote users, and endpoints.

In this new paradigm, CISOs are increasingly turning to Zero Trust Network Access platforms. These will replace traditional corporate network perimeters with individual access boundaries around most critical applications within the network.

These platforms allow organisations to hide applications from public view and implement a mechanism to verify every request for the information in real-time and with a great degree of authenticity. This is of particular importance for the public sector, as increasingly more government data is stored online and citizen-centric services are offered online, particularly during this period of a global pandemic.

Here comes 5G

The nature of the network perimeter is expected to become even more diffused as 5G becomes mainstream, providing ultra-reliable low latency connectivity and resulting in data residing more on the edge.

5G will allow remote and intelligent control of terrestrial and aerial unmanned vehicles, robotic platforms, and critical infrastructures, such as electricity, water, gas, ports, transport, etc. Any 5G system failure could cause serious harm. Massive connectivity with higher bandwidth may include malicious traffic leading to distributed denial of service attacks (DDoS) on the control (signalling) and user plane. Network security needs to be reimagined in such a scenario.

Zero Trust brings about a fundamental change in approach to security since trust is a vulnerability that can be exploited. For an effective Zero Trust policy, organisations need to have visibility into communications and restrict traffic – across endpoints, between remote users and applications, and dynamic workloads that move inside data centres and public cloud environments. Zero Trust Network Access platforms reduce excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties.

Building a zero-trust network access framework is a long and complicated process and approaches can vary from organisation to organisation. However, there are some common requirements for such a network.

Understanding your data

Organisations need to identify and segment data to figure out what is sensitive and what is not. Most public sector departments already know what data is sensitive and need to be protected at all costs.

There is also a need to map traffic flows and associate them with business applications. CISOs need to have a clear idea of where data is going, who is using it, and for what purpose.

In a large network, billions of bits of data flow through and between different business applications and users. Granular level understanding of which data is being accessed and by whom and why is a must. This has to be a continuous process.

Check, then check again

In a zero-trust network, as the name suggests, all credentials that attempt to log into the network are suspect and need to be authenticated. The unfortunate reality of cybersecurity is that, more often than not, humans are the weakest link.

For this reason, checking and verifying all credentials are important and for remote access, it is an essential requirement to build a segregated segment with limited access to the rest of the network.

Remote access needs to be cut off from direct access to data centre servers that contain the most sensitive information. Access to sensitive data should only be allowed with another layer of authentication.

Once there is a better idea of what should be allowed in, policies should automatically either block or flag all the rest of the traffic. This requires a robust and automated filtering policy that allows only legitimate traffic flows. Fortunately, software-defined networking (SDN) platforms within data centres and public-cloud providers automatically allow the deployment of filters within the network. Defining the content of these filtering policies is the real challenge.

Once full visibility of the network and the required filtering policy is in place, it’s essential to monitor everything. This is where visibility comes into its own. The only way to know if there is a problem is by monitoring traffic across the entire infrastructure, all the time.

This involves identification of the source of truth for user identities, including the process for third-party identities and defining policies where stronger two or multi-factor authentication is required to access particularly sensitive data. There needs to be a clear and automatic policy which can determine which device is managed and which are unmanaged.

One 'brain'

While all these are some of the individual steps needed to develop a Zero Trust Network Access framework, all of them need to work in orchestration. That can only be achieved when there is a centralised policy “brain” which knows what is happening where.

Think of the individual bits and pieces as the part of the network’s central nervous system that sends information or does a particular task. The “brain” knows exactly what is happening where and orchestrates everything. Building such an automated network “brain” is the most vital part of developing a zero-trust network.

The job of a well-designed automated zero-trust network is not just protecting data. It also needs to ensure the ease of access to legitimate users as this is vital in today’s digitalised environment. An organisation can have the world’s most protected network but that will not result in any positive business outcomes if there are barriers to access for genuine users.

The free flow of information is a vital part of digital transformation. Well-designed zero trust networks need to be both secure and easy to access. In other words, such a network needs to satisfy two contradictory outcomes. Designing such a network is the real challenge for today’s cybersecurity professionals.

Amit Roy Choudhury, a media consultant, and senior journalist writes about technology for GovInsider.