Zero-Trust Security: Why Enterprises need IT ?
Tata Consultancy Services is an IT services, consulting and business solutions organization that has been partnering with the largest businesses in their transformation journeys for the last 50years.
Traditionally employees accessed the applications from a physical workstation within the organization premises, from behind the firewall. The enterprise perimeter was limited and everyone inside is trusted and everyone outside the zone is treated as untrusted and malicious.
Over the last decade, this has changed. Enterprises have adopted cloud, SaaS applications, Bring your own device(BYOD),remote access to applications. IoT is being widely adopted. With this, the notion of network perimeter in enterprises is not valid in today's landscape.
Conventional security models are based on this assumption of perimeter, which now is ineffective. Today's attacks have become advanced and sophisticated. Attackers can compromise single endpoint within trusted boundary and quickly expand foothold across the entire network.
For instance,The Pentagon security breach exposed personal information of 30,000 pentagon workers. It occurred through a hack into Travel data system. The hack is said to have taken place earlier and gone unnoticed for some period before it was known. This, despite pentagon running programs such as 'Hack the Pentagon'to identify potential weaknesses.
A significant challenge to information security is the lateral movement of attacks such as malware, ransom attacks, once inside the network. The threat remains undetected with the traditional security models. These threats can propagate across the network and move wherever they choose, to extract business sensitive data.
Zero-Trust
Today's security needs and challenges can be met through 'Zero-trust' architecture, which was first introduced by analyst firm Forrester Research. It's a paradigm shift in how we view Security.
Zero Trust means no one is trusted by default both inside and outside the organization, Credentials of every user and every device should be verified every time they access any resource. This eliminates the concept of trust based on network location within a perimeter.
By implementing software defined networking technologies, such as micro segmentation, granular perimeter can be introduced, and policies enforced based on user, data and location. This prevents the lateral threat movement to limit the impact in case of any breach.
For example, in a typical enterprise, the marketing team should have
Traditionally employees accessed the applications from a physical workstation within the organization premises, from behind the firewall. The enterprise perimeter was limited and everyone inside is trusted and everyone outside the zone is treated as untrusted and malicious.
Over the last decade, this has changed. Enterprises have adopted cloud, SaaS applications, Bring your own device(BYOD),remote access to applications. IoT is being widely adopted. With this, the notion of network perimeter in enterprises is not valid in today's landscape.
Conventional security models are based on this assumption of perimeter, which now is ineffective. Today's attacks have become advanced and sophisticated. Attackers can compromise single endpoint within trusted boundary and quickly expand foothold across the entire network.
For instance,The Pentagon security breach exposed personal information of 30,000 pentagon workers. It occurred through a hack into Travel data system. The hack is said to have taken place earlier and gone unnoticed for some period before it was known. This, despite pentagon running programs such as 'Hack the Pentagon'to identify potential weaknesses.
A significant challenge to information security is the lateral movement of attacks such as malware, ransom attacks, once inside the network. The threat remains undetected with the traditional security models. These threats can propagate across the network and move wherever they choose, to extract business sensitive data.
Zero-Trust
Today's security needs and challenges can be met through 'Zero-trust' architecture, which was first introduced by analyst firm Forrester Research. It's a paradigm shift in how we view Security.
Zero Trust means no one is trusted by default both inside and outside the organization, Credentials of every user and every device should be verified every time they access any resource. This eliminates the concept of trust based on network location within a perimeter.
By implementing software defined networking technologies, such as micro segmentation, granular perimeter can be introduced, and policies enforced based on user, data and location. This prevents the lateral threat movement to limit the impact in case of any breach.
For example, in a typical enterprise, the marketing team should have
access to data associated with marketing content and not to HR information. It's important to identify who the users are, which applications they are trying to use, from where they are accessing and if it's appropriate and valid session.
Key Focus Areas of Zero Trust
Zero Trust People: People are the weakest link in security. Weak passwords and reuse across applications increases risk. Providing access based on username and password alone does not suffice in today's world. Employing Multi factor authentication provides extra level of security, establishing real Identity before granting access.
Zero Trust Devices:The number of devices that connects to the network has exploded. Every device that touches the echo system such as mobile, Tablets, IoT device should be trustworthy to grant access. These devices are a potential source for attacks and should be monitored for the health.
Zero Trust Workloads:The workloads enable customers to interface with business, it could be an application, webserver, database, a container or a backend software. The entire workloads are potential threat vectors and should be zero trust compliant
Zero Trust Networks: Enterprises must isolate applications and access architecture from the public internet. Grant user access only to applications they are entitled for the role and not the network. This integrates identity management to IP routing and prohibits sessions without proper authentication and authorization.
Real-world use cases for Zero Trust
Applying zero trust principles to various industry scenarios gives a glimpse of why this is the way forward to address security concerns across enterprises. Few use cases across verticals are listed.
In manufacturing industry, there is a constant demand to improve production efficiency. In Factories, when the machines malfunction, vendors should be given remote access to acquire realtime data from the installed machines, diagnose and fix issues. This access should be limited to specific applications for the limited time, preventing unauthorized access to other production information. Traditional remote access based on VPN, configuring ports can create network vulnerabilities and is time taking. Zero trust enables context aware secure connectivity, through controlled access based on role, and classifying traffic based on end-point identity
In the Retail stores, consider a scenario of Retail Point-of-sale it generates, payment transactions as also other traffic towards inventory price, etc. Say, the PCI(Payment card Industry) traffic should be treated separate from the other traffic. Zero trust lets segmentation be done to this granular level of service. In the traditional world, the VLAN segmentation is limited to the device, based on IP or MAC address. Zero-trust can segment not only to the IP or MAC, but extend to the service(context).
Financial: Cosmos bank, one of India's largest co-operative banks was cyber attacked. Through fraudulent debit card ATM transactions and SWIFT transactions, an amount of 95 crores rupees was withdrawn. Banks Visa, RuPay card accounts were compromised, attackers created clones cards that enabled ATM cash withdrawals. The malware infected and dwell in the system, moving laterally and finding vulnerabilities, leading to automatic authorization of the fraudulent transaction requests. Segmenting bank network into separate banking, non-banking, administrative environments using micro segmentation could have stopped lateral movement of malware, preventing the attack.
While Zero trust security architecture is gaining popular, implementing it for large enterprises with legacy environments can be harder. Apart from the Technical complexities, it requires cultural shift within IT. The shift from traditional security to zero trust can be gradual, introducing the technologies, micro perimeters and policies steadily, ensuring the systems continue to function properly, without preventing users from being productive.
While Zero-trust security architecture is gaining popular, implementing it for large enterprises with legacy environments can be harder
Key Focus Areas of Zero Trust
Zero Trust People: People are the weakest link in security. Weak passwords and reuse across applications increases risk. Providing access based on username and password alone does not suffice in today's world. Employing Multi factor authentication provides extra level of security, establishing real Identity before granting access.
Zero Trust Devices:The number of devices that connects to the network has exploded. Every device that touches the echo system such as mobile, Tablets, IoT device should be trustworthy to grant access. These devices are a potential source for attacks and should be monitored for the health.
Zero Trust Workloads:The workloads enable customers to interface with business, it could be an application, webserver, database, a container or a backend software. The entire workloads are potential threat vectors and should be zero trust compliant
Zero Trust Networks: Enterprises must isolate applications and access architecture from the public internet. Grant user access only to applications they are entitled for the role and not the network. This integrates identity management to IP routing and prohibits sessions without proper authentication and authorization.
Real-world use cases for Zero Trust
Applying zero trust principles to various industry scenarios gives a glimpse of why this is the way forward to address security concerns across enterprises. Few use cases across verticals are listed.
In manufacturing industry, there is a constant demand to improve production efficiency. In Factories, when the machines malfunction, vendors should be given remote access to acquire realtime data from the installed machines, diagnose and fix issues. This access should be limited to specific applications for the limited time, preventing unauthorized access to other production information. Traditional remote access based on VPN, configuring ports can create network vulnerabilities and is time taking. Zero trust enables context aware secure connectivity, through controlled access based on role, and classifying traffic based on end-point identity
In the Retail stores, consider a scenario of Retail Point-of-sale it generates, payment transactions as also other traffic towards inventory price, etc. Say, the PCI(Payment card Industry) traffic should be treated separate from the other traffic. Zero trust lets segmentation be done to this granular level of service. In the traditional world, the VLAN segmentation is limited to the device, based on IP or MAC address. Zero-trust can segment not only to the IP or MAC, but extend to the service(context).
Financial: Cosmos bank, one of India's largest co-operative banks was cyber attacked. Through fraudulent debit card ATM transactions and SWIFT transactions, an amount of 95 crores rupees was withdrawn. Banks Visa, RuPay card accounts were compromised, attackers created clones cards that enabled ATM cash withdrawals. The malware infected and dwell in the system, moving laterally and finding vulnerabilities, leading to automatic authorization of the fraudulent transaction requests. Segmenting bank network into separate banking, non-banking, administrative environments using micro segmentation could have stopped lateral movement of malware, preventing the attack.
While Zero trust security architecture is gaining popular, implementing it for large enterprises with legacy environments can be harder. Apart from the Technical complexities, it requires cultural shift within IT. The shift from traditional security to zero trust can be gradual, introducing the technologies, micro perimeters and policies steadily, ensuring the systems continue to function properly, without preventing users from being productive.