Creating a zero trust environment
The rise of remote working, the ongoing migration of businesses to the cloud and the worsening threat environment are all contributing to a growing need for Zero Trust architectures. The underpinning principle of Zero Trust is ‘never trust, always verify’, and the goal is to create a more robust security environment, while also reducing administrative complexity.
It challenges the outdated view that everything inside an enterprise’s security perimeter is trustworthy. The traditional security model fails to fully acknowledge that cyber criminals are able to infiltrate security perimeters; instead Zero Trust views everything inside an organisation’s network with as much distrust as anything outside that perimeter.
So how can organisations go about creating – and maintaining – a Zero Trust environment?
User identity verification is not enough
The importance of user identity verification in creating a Zero Trust architecture is widely accepted. Most organisations have relative confidence in their processes for verifying user identity; information they then use to decide which data, assets or applications the user can access.
But there’s a catch – user identity verification on its own is insufficient to create a Zero Trust architecture. The reason is simple – if a device is compromised, it can also be used by a threat actor. In other words, no matter how thorough the user identification is, if the endpoint is compromised, so is the security.
Even identity techniques such as biometrics and multi-factor authentication (MFA) cannot fully mitigate this risk. This is a truth that has been borne out time and time again in the world of online banking – a user accessing critical banking services from a personal device is vulnerable to cyber attacks despite the user being authorised and authenticated – usually through MFA. User identity verification alone is simply not sufficient to create a secure, Zero Trust environment, as more often than not, the user’s machine is where the vulnerabilities lie.
The growing need for endpoint security
Securing devices is undoubtedly a critical aspect of implementing a Zero Trust Architecture, but also one of the most challenging. To do this, organisations need to ask themselves: does the device being used for the task in hand have the right security in place
This answer is significantly complicated by the fact that modern organisations have a growing number of devices accessing company data – the rise in remote working means that employees are often accessing company resources and networks from personal devices, whose security status is unknown. This not only vastly increases the attack surface, but also impairs the organisation’s ability to implement broad brush security measures for each and every device accessing company networks.
This problem is further compounded when we factor in the continued migration of company data, applications and services to the cloud. Many cloud services provide zero support for endpoint security, focusing exclusively on user identity verification.
And those cloud providers that do consider endpoint security, do so crudely – for example, typically, providers do this by making access conditional on the source IP address. This means that companies need to ensure that relevant devices are funnelled through specific IP addresses.
However, with today’s hybrid workforce accessing data and applications from a wide array of locations, this approach is not fit for purpose. Instead, a more effective approach would be: user A is permitted full administrative rights in Cloud Service X when using a high-security device, and only reduced user rights when using a lower-security device. I.e., the security levels of the specific device should ultimately determine whether or not a verified user gains access to company networks and data.
The limitations of traditional techniques
Many components of endpoint security are well established, for example: patching, antivirus protection and Endpoint Detection and Response. But the real challenge for any organisation is to know how effective such tools really are.
If we look more closely at detection-based tools, a flaw quickly becomes clear – these technologies aren’t equipped to stop malware from entering a network in the first place – all they do is detect it once it has successfully infiltrated a business’ security perimeter. What’s more, these tools are limited to defending against behaviour that is already known to be suspicious, meaning that they are often unable to detect zero-day malware infiltration, leaving organisations vulnerable to attack.
Another endpoint security strategy takes the approach of restricting access to the internet. Although this drastically reduces the opportunity for devices to be compromised, since modern workers rely heavily on the internet to perform their roles, it has the unintended effect of severely limiting employees’ ability to do their jobs.
It’s clear that enterprises need a new solution to endpoint security.
A Zero Trust solution
A solution that sensitive government security agencies and security-conscious mainstream enterprises organisations are turning to is Browser Isolation. This works by creating an unbreachable separation between the user’s device and the internet, eliminating the risk of users coming into contact with malicious malware.
Full Browser Isolation uses a technique called ‘Pixel Pushing’ which converts the browsed web page into a safe, video representation of the web – meaning that devices are separated – and therefore protected from the risky internet. This removes all risk of malware attacks, regardless of the sophistication or frequency of such threats.
By assuming that all internet content is malicious, Browser Isolation creates a protective buffer between the web and a company’s network, while still giving employees unfettered access to the internet. It is a Zero Trust solution that does not rely either on detection or on restricting online activity.
A holistic approach
Without a doubt, securing endpoints is the most important challenge organisations face when it comes to creating, and maintaining, a Zero Trust environment.
Zero Trust is a journey prompted by the need to maintain the security of enterprise resources while delivering on the business promises of flexibility, mobility and rapid innovation in an online world with an ever-growing threat level. And as the name itself implies, a Zero Trust architecture is just that: an architecture rather than a single point solution.
Within a Zero Trust architecture, the security level of user devices is just as important as the ability to verify user identity. Delivering on both of these elements is integral to creating a Zero Trust environment.
Henry is a seasoned technology industry executive and serial entrepreneur who has spent the last ten years focused on cyber security both as an independent consultant and as Technical Director for Cyber Security at UK defense and security company BAE Systems.
Henry’s previous ventures include a desktop videoconferencing startup, and he has been responsible for developing and selling advanced electronics solutions into governments, telecommunications companies and financial services organizations amongst other sectors.