[ad_1]
The National Security Agency (NSA) and Microsoft advocate the Zero Trust security model as a more effective way for businesses to defend against today’s increasingly sophisticated threats.
The concept has been around for some time and is based on the assumption that an intruder may already be on the network, so local devices and connections should never trust implicitly and verification is always required.
Cyber security companies pushed the trustless network model for years, as a transition from the traditional security design that only considered external threats.
The model was created in 2010 by John Kindervag, who also coined the term “zero trust,” a senior analyst at Forrester Research at the time, but discussions about it had started in the early 2000s. Google put in implemented zero-trust security concepts after Operation Aurora in 2009 for an internal project that became BeyondCorp.
Zero Trust Defense for Critical Networks
The recent attack on SolarWinds’ supply chain, also attributed to a nation-state actor, has renewed discussion of the benefits of zero-trust security architecture for sensitive networks.
Microsoft President Brad Smith made the case for the zero trust model in his testimony in the US Senate regarding the SolarWinds cyberattack, saying this concept is the best approach for an organization or agency to ensure identity security in their networks.
Speaking about the security of the U.S. government networks targeted by the attack, Smith said:
“Basic cybersecurity health and safety best practices were not in place with the consistency and discipline we expected from federal clients with agency security profiles. In most cases, multi-factor authentication, least privileged access, and other requirements to establish a “zero trust” environment were not in place. Our experience and data strongly suggest that if these steps had been put in place, the attacker would have had limited success in compromising valuable data even after gaining access to the agency environments ”- Brad Smith, President from Microsoft
Now, the NSA and Microsoft are recommending the zero trust security model for critical networks (national security systems, defense ministry, defense industrial base) and large enterprises.
Zero Trust is a long term project
The guiding principles of this concept are constant verification of user authentication or authorization, least privileged access and segmented access based on network, user, device and network. ‘application.
The above diagram from Microsoft shows how zero trust security with a security policy enforcement engine can be assessed in real time. The model grants access to data, applications, infrastructure, and networks after verifying and authenticating identities and verifying that devices are secure.
Understanding and controlling how users, processes and devices interact with data is the fundamental goal of Zero Trust, says the NSA.
Several data points are needed to paint an accurate picture of network activity, assess its legitimacy, and prevent the lateral movement of a threatening actor.
The combination of user and device data with security related information such as location, time, logged behavior can be used by the system to allow or deny access to specific assets, and decision is saved for use in future suspicious activity scans. This process applies to each individual access request to a sensitive resource.
However, creating a mature zero trust environment is not an overnight task, but a gradual transition that often requires additional capabilities as it does not address new tools, tactics or techniques from the adversary. .
“Zero Trust incorporates comprehensive security oversight; granular risk-based access controls; and automating system security in a coordinated manner across all aspects of the infrastructure to focus on protecting critical assets (data) in real time in a dynamic threat environment ”- National Security Agency
The good news is that the transition can be gradual and reduce risk at every step, dramatically improving visibility and automated responses over time.
Benefits of the Zero Trust Network
To show the benefits of a Zero Trust network, the NSA gives three examples based on actual cybersecurity incidents where the threat actor would have failed had the concept been implemented.
In the first, the actor accessed a victim organization’s network from an unauthorized device using legitimate credentials stolen from an employee – a sufficient level of authentication in a traditional security environment.
The second example shows a malicious party that is either an insider threat or an actor who compromised “a user’s device via an Internet-based mobile code exploit.”
In a typical environment, the actor can enumerate the network, increase privileges, and move sideways across the network to gain persistence or find valuable data and systems.
The third example of the NSA is that of a supply chain attack, where the actor adds malicious code to “a popular enterprise network device or application” that the victim organization maintains and releases. updated regularly by following best practices.
In a zero trust architecture, the compromised device or application would not be able to communicate with the threat actor because it would not be trusted by default.
“Its privileges and access to data would be tightly controlled, minimized and monitored; segmentation (macro and micro) would be imposed by policy; and scans would be used to monitor abnormal activities. Additionally, while the device may be able to download signed application updates (malicious or not), the device’s allowed network connections under a Zero Trust design would employ a deny security policy by default. , therefore any attempt to connect to other remote addresses for command and control would likely be blocked ”. National Security Agency (NSA)
The agency recognizes that besides the technical challenges arising from redesigning an existing information system based on the Zero Trust model, resistance across the organization can be another obstacle that reduces the efficiency of the system.
Users, administrators, and senior management all need to have the same mindset for Zero Trust to work. In other words, leaders must spend the necessary resources to create and maintain it, administrators and advocates of the network must have the necessary expertise, and users must not be able to circumvent policies.
“Once even the basic or mid-level capabilities of Zero Trust are integrated into a network, follow-up is necessary to mature the implementation and achieve full benefits,” the NSA says.
The agency is currently working with DoD clients to set up Zero Trust systems and coordinate activities with current NSS and DoD programs.
Additional guidelines are being developed to facilitate the integration of zero trust principles into corporate networks. Organizations looking to adopt the concept can also find documentation and methodology from NIST as well as several cybersecurity companies, some of which offer solutions for easier implementation.
[ad_2]
Source link