In a revival that would satisfy both retro stylists and fictional FBI agent Fox Mulder, the approach to security known as Zero Trust is back and as strong as ever.
Why has Zero Trust – a model that ‘trusts no one’ and seeks to verify everything – returned to the forefront of security?
In a 2019 study, Gartner found that “More users, devices, applications, services and data are located outside of an enterprise than inside.” Doing business digitally is no longer solely about the trusted private network. It is about expanding the business horizons into unchartered network waters, into often shadowy connection points, where you might not know who or what is lurking on the other end and what he, she or it is carrying and trying to inject into your computer code and company network…
In a world of spamming, scamming, spoofing, phishing, catfishing, and ransomware, where individuals never can really be certain of the identity of the party on the other side of the connection, legitimate enterprises need all the help they can get when it comes to establishing trust and security.
The Zero Trust model is back.
Trust no one, Scully.
Zero Trust Networks and Architectures
Created in 2010 by then-Forrester analyst John Kindervag, Zero Trust was never wholly forgotten, but its forceful reemergence and renewed emphasis make sense in today’s interconnected reality where exposure to untrusted networks and apps and cybercriminals is unavoidable, and where ID spoofing, identity theft, and business-reputation damage are common occurrences. Attack methods have gotten more sophisticated… as has malware… and just one naïve or ill-advised click can infect a computer and surreptitiously attempt to spread. Detection can take months, allowing contagions to get rooted and then deliver a fatal blow to an organization, including through Zero Day exploits.
All access from within the network, from your cloud workload environments, and from remote users connected via VPN to your network, must be contained using a ‘least privilege approach.’ Access must be denied where not approved. Said another way, every user is verified, their devices validated, and their actions limited to just those that have been granted.
Ransomware still targets specific computers but has matured to now easily challenge network control. Ransomware operators such as SamSam are focused and lethal. They update their malware frequently in an effort to avoid antivirus and other endpoint defenses. In one tale of horror, the WannaCry ransomware attack was able to knock out 200,000 computers across 150 countries, including some hospitals, over the course of four days in 2017.
Once the malware gets a foothold it immediately attempts to spread laterally and infect multiple computers on a network. Some of the tools in use include Mimikatz and Bloodhound. Mimikatz is a tool for post-exploitation that dumps passwords from memory, PINs, and network authentication protocol lists. Bloodhound is a tool that can map out an entire domain and highlight where the next target might be. This makes lateral movement within a network easier for hackers and their malware.
Zero Trust powered by OPAQ allows organizations to quickly and easily set up a robust zero-trust architecture.
OPAQ Zero Trust Secure Access and Segmentation
Secure Internet Access
OPAQ Zero Trust cybersecurity protects your organization with multi-layered advanced security out to cloud and Internet access points while safely segmenting endpoint access and traffic patterns across lateral and core-data lines of movement. In addition to wrong clicks, identity spoofing, and distributed brute force attacks, devices can be lost or stolen and hackers can gain network access through computers left unattended. You want to make sure you stop the spread through layered security in the form of multi-factor authentication (MFA), access control and segmentation.
Using the OPAQ security-as-a-service, network security policy follows users wherever they go, protecting them as they perform their jobs, whether on the private network, or through a separate secure tunnel while using the public Internet or apps in the cloud. Zero Trust model rules can be based on any combination of host, host group, Active Directory user/group, port, protocol, service, range, and blacklist policy, while allowing for MFA when connecting to specific systems.
True Least Privilege Segmentation
Building effective network segments used to be hard work, and doing it with physical switches is expensive and time consuming. The consequence is that even relatively well segmented networks are not truly restricted to a least privilege level, i.e., strong access and control rules. OPAQ enables segments to be configured on the fly, and can provide network segments based on user groups rather than IP addresses or physical switch configuration. This capability affords granular, least privilege segments that enable employees to access the systems they need to do their jobs, and nothing more.
East-west traffic (lateral LAN traffic) is protected via security policies that provide software-defined network segmentation, while also providing hardware and software asset inventory, and instant quarantine capabilities. Users on the network can be granted or denied access to resources depending on their role, device state, and/or MFA.
Much of the work your organization is doing is no longer on the private network. Protect against infection, unauthorized access, and lateral spread by orchestrating security in a way in which trust is earned, not given, and by treating every connection with zero trust.
Zero Trust Architecture web page.