Posts

Zero Trust Resurges in Ethereal World of Borderless Networks and Other Haunts

In a revival that would satisfy both retro stylists and fictional FBI agent Fox Mulder, the approach to security known as Zero Trust is back and as strong as ever.

Why has Zero Trust – a model that ‘trusts no one’ and seeks to verify everything – returned to the forefront of security?

In a 2019 study, Gartner found that “More users, devices, applications, services and data are located outside of an enterprise than inside.” Doing business digitally is no longer solely about the trusted private network. It is about expanding the business horizons into unchartered network waters, into often shadowy connection points, where you might not know who or what is lurking on the other end and what he, she or it is carrying and trying to inject into your computer code and company network…

In a world of spamming, scamming, spoofing, phishing, catfishing, and ransomware, where individuals never can really be certain of the identity of the party on the other side of the connection, legitimate enterprises need all the help they can get when it comes to establishing trust and security.

The Zero Trust model is back.

Trust no one, Scully.

Zero Trust Networks and Architectures

Created in 2010 by then-Forrester analyst John Kindervag, Zero Trust was never wholly forgotten, but its forceful reemergence and renewed emphasis make sense in today’s interconnected reality where exposure to untrusted networks and apps and cybercriminals is unavoidable, and where ID spoofing, identity theft, and business-reputation damage are common occurrences. Attack methods have gotten more sophisticated… as has malware… and just one naïve or ill-advised click can infect a computer and surreptitiously attempt to spread. Detection can take months, allowing contagions to get rooted and then deliver a fatal blow to an organization, including through Zero Day exploits.

All access from within the network, from your cloud workload environments, and from remote users connected via VPN to your network, must be contained using a ‘least privilege approach.’ Access must be denied where not approved. Said another way, every user is verified, their devices validated, and their actions limited to just those that have been granted.

Ransomware still targets specific computers but has matured to now easily challenge network control. Ransomware operators such as SamSam are focused and lethal. They update their malware frequently in an effort to avoid antivirus and other endpoint defenses. In one tale of horror, the WannaCry ransomware attack was able to knock out 200,000 computers across 150 countries, including some hospitals, over the course of four days in 2017.

Once the malware gets a foothold it immediately attempts to spread laterally and infect multiple computers on a network. Some of the tools in use include Mimikatz and Bloodhound. Mimikatz is a tool for post-exploitation that dumps passwords from memory, PINs, and network authentication protocol lists. Bloodhound is a tool that can map out an entire domain and highlight where the next target might be. This makes lateral movement within a network easier for hackers and their malware.

Zero Trust powered by OPAQ allows organizations to quickly and easily set up a robust zero-trust architecture.

OPAQ Zero Trust Secure Access and Segmentation

Secure Internet Access

OPAQ Zero Trust cybersecurity protects your organization with multi-layered advanced security out to cloud and Internet access points while safely segmenting endpoint access and traffic patterns across lateral and core-data lines of movement. In addition to wrong clicks, identity spoofing, and distributed brute force attacks, devices can be lost or stolen and hackers can gain network access through computers left unattended. You want to make sure you stop the spread through layered security in the form of multi-factor authentication (MFA), access control and segmentation.

Using the OPAQ security-as-a-service, network security policy follows users wherever they go, protecting them as they perform their jobs, whether on the private network, or through a separate secure tunnel while using the public Internet or apps in the cloud. Zero Trust model rules can be based on any combination of host, host group, Active Directory user/group, port, protocol, service, range, and blacklist policy, while allowing for MFA when connecting to specific systems.

True Least Privilege Segmentation

Building effective network segments used to be hard work, and doing it with physical switches is expensive and time consuming. The consequence is that even relatively well segmented networks are not truly restricted to a least privilege level, i.e., strong access and control rules. OPAQ enables segments to be configured on the fly, and can provide network segments based on user groups rather than IP addresses or physical switch configuration. This capability affords granular, least privilege segments that enable employees to access the systems they need to do their jobs, and nothing more.

East-west traffic (lateral LAN traffic) is protected via security policies that provide software-defined network segmentation, while also providing hardware and software asset inventory, and instant quarantine capabilities. Users on the network can be granted or denied access to resources depending on their role, device state, and/or MFA.

Much of the work your organization is doing is no longer on the private network. Protect against infection, unauthorized access, and lateral spread by orchestrating security in a way in which trust is earned, not given, and by treating every connection with zero trust.

Learn more.

Zero Trust Architecture web page.

 

Ransomware, and Why Organizations of All Sizes Should Evaluate Network Segmentation

You’ve probably read or discussed the news articles and public disclosures.

A major bank gets hacked, the personal data of a 100 million customers falls into the wrong hands, and it costs the bank hundreds of millions of dollars to fix.

A major U.S. municipality is held ransom for database control, forcing it to rely on old-school data-keeping methods as it courageously defies the extortive criminal demands.

How can these kinds of attacks succeed in today’s cyber-vigilant day and age?

The aforementioned are just the high-profile cases. Below the radar of the headlines, smaller companies encounter spoofing ploys, ransomware and evolving malware, and every day too many of them get compromised or deceived into sending funds to a cybercriminal.

There will always be human errors and cyber-villains seeking to capitalize, so, what is it that we can actually change? The answer lies in an evolving security architecture and how we define next-generation network segmentation.

Traditional Security Architectures Pose Risks

Nearly every harmful corporate cyber-assault is a lesson in unsound traffic patterns, of network blind-spots, of organizations not sufficiently insulating enterprise jewels, not properly segmenting network traffic and not adequately shoring up endpoint protection and access control against powerful automated takeover attacks.

It’s nobody’s fault really. The private network has changed, gotten more complex, become a WAN without boundaries. You have users connecting into the private network while they’re plugged into data transaction points outside your network security team’s control on the Internet and in the cloud, some of these access points potentially vulnerable. Do you want to allow traffic and files from Internet and multiple cloud access points to merge with important private network traffic and databases via common pathways? From a smart central security perspective, the twain should never meet.

What’s more, cybersecurity skills, especially in cloud network security, are in short demand, and network and IT departments have to wear many other hats in their jobs. It gets challenging to structure network patterns to keep roaming users connected and satisfied while also prohibiting sneaky lateral movement of suspicious or known threats. A zero trust network approach must not result in an unintended plethora of zero-access lines. Connection hurdles can hurt your business: employees still need to get data and communicate.

Network Segmentation, Microsegmentation, and Access Control

Your users are traversing myriad websites and Internet access points, downloading tools, plugging in at public charging stations and then connecting to private enterprise assets. Network segmentation is about restricting direct gateways into the heart of the business so traffic flow patterns don’t inadvertently put the organization at high risk. But network segmentation has been difficult and expensive due to the amount of resources and effort needed to reconfigure distributed physical equipment such as VLANs, routers and switches.

A next generation of network segmentation, microsegmentation (or software-defined segmentation) is the partitioning of workloads from one another, including in the cloud, between multi-cloud access points, and between data centers and databases.

Gartner wrote: “Microsegmentation (also referred to as software-defined segmentation, zero trust network segmentation or logical segmentation) uses policy- and workload-identity-driven firewalling (typically software-based) or network cryptography to isolate workloads, applications and processes in data centers, public cloud IaaS and containers. This includes workloads that span on-premises and multiple public cloud IaaS providers.”

What this translates into from a security perspective is when some of your databases and servers are hosted they creep out of your view and control, so keeping the workloads of these different transaction points separate is mandatory in order to protect your most precious enterprise data and digital assets.

Workstation Microsegmentation

Securing this larger, more distributed attack surface without talking about endpoint agents (i.e., software-defined networking on portable laptops and other human-manned mobile workstations as well as virtual machines) is unrealistic. These devices are all part of your network, whether you’re in the cloud or not, and an initial point of potential compromise.

It’s a hybrid, multi-cloud network for many organizations, not just one big tidy cloud environment. More-granular segmentation is needed in both cloud environments and your endpoint-defined private network.

Microsegmentation tends to merely represent a granular, cloud- and data-center-workload-focused approach to segmentation. But your segmentation should not be restricted to just data centers and clouds when you have to also protect end users connecting to each other, to the cloud, and to on-premises network assets.

OPAQ offers both network segmentation and microsegmentation at the endpoints, that is, on the devices that connect or traverse Internet, cloud and multi-cloud access points. Each protected endpoint, whether stationary or mobile, carries security and segmentation policy, ensuring that these devices don’t act as the conduits for infection with each other or networks, servers or databases.

Microsegmentation doesn’t have to be impossible for small and midsize enterprises or new branch offices, all in the crosshairs of powerful distributed attacks. Neither should the ability to rapidly roll out next-gen network security policy to endpoints, which nowadays is crucial for small and midsize enterprises and large-enterprise branch offices alike. Your endpoints are your weakest links, a ‘way in’ for the sophisticated attack and bad actor. Segmenting cloud and database workloads is smart, but a lateral spread can still afflict your workforce and cost you if you don’t bolster your endpoints with advanced security policy including network segmentation by host and user groups.

Don’t underestimate the threat of malicious lateral movement through your security architecture.

Find out more.

Endpoint Control

Request a demonstration.