Man the barricades… What barricades?

Clem Colman suggests that it's time to change our fortress mindset towards network security.

©iStock.com/ValeryEgorov

©iStock.com/ValeryEgorov

In the middle ages technical and economic forces brought to an end centuries of military theory as city walls became ineffective, irrelevant and even counterproductive. A similar disruption is happening now, but this time inside corporate networks.

Enterprise network as the fortress

Managing information security for corporate networks has always been difficult. Just for starters, the adversarial pursuit associated with IT security has always been a disruptive force since well…, certainly well before the word disruption became trendy. But the bigger challenges, the ones that mean we really need to change the way we think about information security, are the changes to the nature of the corporate networks themselves. In short, I’m not sure corporate networks are going to exist in the future – certainly not in the terms we currently think of them.

In the past we relied heavily on network segregation to protect corporate assets, information and systems. The theory was pretty simple – build a wall, good guys on the inside and the great unwashed on the outside and then carefully control what comes in and goes out through a gateway(s). In this model we concentrated our defences on the points where information flowed into or out of our network, and used terms like choke point, bastion, inspection point and firewall to describe the controls.

This approach has two problems.

The first is that our ability to meaningfully inspect traffic coming in and out of the fortress isn’t keeping up with the threats. It’s a challenge InfoSec has always had, but now innovation – web, digital, cloud – has accelerated the problem, giving cybercrooks and the other bad guys too many new opportunities to attack.

Our fortress goes virtual

The second problem is that it’s not just the security arms race that is emasculating our virtual fortress. Our users (the good guys) no longer want to live inside the fortress; they want to access enterprise information and systems from wherever they are, via the now ubiquitous Internet, and using whatever device they have to hand. And the assets we are charged with protecting are also rapidly decamping beyond the castle gates into the cloud. The battleground has moved, and the challenge now is making sure we have the right capabilities in the right places for the next round.

Decouple and conquer

This challenge to deliver services securely anywhere and anytime means we need to ‘decouple’ network security from network topology. In other words, our ability to protect assets, information and users can no longer be contingent on them living inside the fortress; the protection needs to go with them to wherever they want to be or where market forces increasingly dictates they need to be.

The first part of addressing this change is addressing our thinking. Avoid thinking of networks as being divided into trusted, untrusted and semi-trusted. While such terminology isn’t entirely without value, those labels can lead to dangerous assumptions.

For example, when a system in the trusted part of the network is compromised it can potentially leverage this trust to attack its neighbours. What’s more, it can usually go about this task without fear of being detected by the corporate defences, because they’re mostly focussed on the boundary between trusted and untrusted parts of the network. The classic analogy is the Trojan Horse; once it got inside the fortress of Troy, Greek soldiers emerged overnight and created havoc.

Enter the Zero Trust Network

A conceptual model that helps us understand how to address this challenge is the Zero Trust Network. The premise of Zero Trust is that trust shouldn’t be assumed between network actors regardless of location.  It follows that protection should be applied to the smallest indivisible network actors. Laptops, smartphones, servers, desktops, storage… every network participant needs to protect itself.

Zero Trust gives us a model for addressing the existing security challenges within the fortress: you can’t trust your neighbours just because they live in the trusted zone of the network. Zero Trust also gives us a model for dealing with users and systems that live outside the fortress because its fundamental principle has universal applicability: every network participant needs to protect itself.

That might sound like: “Every man for himself!” but that’s not the intent at all. Rather, it’s that the point of protection (the policy enforcement point) needs to be pushed as close as possible (and ideally onto) the endpoints. However, the best overall security posture will be achieved if these endpoints act as a unified whole. For example, if you install end point software with an intrusion prevention capability onto your 2,000 strong desktop fleet, and you tie the alerting capability from the endpoints together then you have just created a 2,000 strong IPS sensor network.

Zero Trust isn’t without its challenges

  • Massively increased number of configurable items. You think it’s tough looking after a few firewalls? Try looking after 2,000! Good management consoles, standardisation and policy driven configuration will be essential.
  • Endpoint readiness. Products are still developing capability and lag traditional network security appliances in being ready for Zero Trust, but many vendors now understand the strategic imperative.
  • Our own readiness. Zero Trust is such a fundamental shift that many network security practitioners simply don’t yet get it.

 

Pressure from cloud, mobile workforce and the changing nature of corporate networks is going to disrupt much of the existing, fortress-based approach to information security. But the reality is, those defences have been crumbling for years.

Predictably, many IT security experts are responding by either trying to extend the fortress, or build more fortresses; and that strategy will remain valid in certain situations. But Zero Trust offers us a model for consideration which treats both the shortcomings of our current security model and, equally importantly, positions us to support the likely future state of corporate networks. 

About the Author

Clem Colman is an experienced business leader and IT Security specialist. He is a Principal Consultant at UXC Saltbush.