Zero Trust – Is it right for your organisation?
Section one – An easy overview
We’ve all heard about how our organisations are under attack, with vendors of all breeds waving their hands and pushing their solution as the be all and end all to all security requirements. But hey, you know what? No one vendor solution is 100% perfect. That latest Advanced Endpoint protection you’ve got there? Sure! It’ll block everything you can shake your fist at, but what if someone managed to plug into an unused port on your network? Is that port secure? If you’re one of the many Kiwi organisations our there without a security focused IT partner, maybe not.
The idea of Zero Trust, is not only preventing an intrusion into your network, but also works in limiting what an intrusion has access to. That fancy firewall you have at the internet edge (North-South traffic) of your network is probably doing a great job preventing inbound threats, but how are you preventing incursions present on your internal network hopping from unknown workstations to servers? And then server to server? (East-West traffic).
Most organisations will look at the above and realise they aren’t doing much, if anything.
There are a number of strategies for implementing a Zero Trust architecture, however the implementation portion is out of scope for this article.
“never trust, always verify”
Section two – The ins and outs
The ins and outs you say? Yes! Moving your servers (And even different types of servers) and protecting the ins and outs is a key element of Zero Trust. What applications are traversing your zones? Do they have a risk factor? Should traffic between your domain controllers and fileservers traverse their own security zone? There are a huge number of questions to ask here, and having someone with the know how is key in ensuring staff disruption is kept to a minimum.
Ensuring unwanted or unknown traffic between these zones is blocked by default is important part of the overall picture. Layer 7 capability within your firewall equipment is key here. Define your protect surface and ensure your Data, Applications, Assets and Services are secure.
Having walked into a number of networks running antiquated systems (Old Scada installs, Mainframes and a huge number of employee time management systems are the most common) I can say many of these systems have not been updated in many years due to cost, or old staff no longer being available. These systems are a huge risk to any organisation, through potential downtime, to the exfiltration of private records.
With the new privacy laws recently come into effect in Australia, followed very shortly by New Zealands own version, taking care of Personal Identifying Information (PII) must be given the utmost priority no matter how small a footprint you believe your organisation to have.
Section three – Identify that user!
So now you have your applications contained, How do you ensure that traffic is coming from a trusted user, endpoint or device?
To most organisations, they’ll use a source ip address. While this may appear like a great idea, in practice it is easily bypassed.
There are a number of ways you can identify that users traffic:
- Using an agent on a domain controller
- WMI pulls from domain to firewall (Not really recommended on branch enabled sites)
- Terminal Server agents
- Captive portal
And of course, Verify that user via MFA. If your application has no support for MFA, our advice would be to purchase equipment which can present a captive portal with MFA support.
By identifying your user traffic, you can now define policies allowing specific groups of users access to applications, while other users might not get any form of similar access at all, or access on a smaller scale.
Section four – Log that access!
Now that you have your business applications allowed, and users defined, you need to ensure your team (Or outsourced provider) can have a view over what is actually happening within your environment. Again, there are a number of ways you can deal with this:
- Individual logs on devices. Marrying up security events between devices and servers is difficult at best!
- Use vendor cloud logging. This is great if everything you own is a single vendor. Hands up who uses a single vendor in your organisation. I can guarantee your firewall does not match your switches which do not match your access points which do not match your servers
- Use an outsourced Security Incident & Event Manager (SIEM)
So, based on the above, you’ve chosen a SIEM right? A SIEM is a behemoth, and unless you are a 400+ seat organisation it’s unlikely you’ll be wanting to run this yourself.
In choosing a Partner, and the SIEM you’ll be using, there are a number of functions you want that SIEM to support. Not every SIEM is created equal, and we could provide pages of requirements.
The ability to accept incoming information from a variety of means (Syslog, Windows, Vendors!)
A dashboard which is easy for non technical staff to look at
The ability to weed out confidential information on a local logging agent
How do alerts work?
Is access secured by MFA?
Section five – Maintain your policies
Going down the Zero Trust path can be a time consuming exercise, however there is nothing worse, than after investing in the work, is having it all circumvented because your users suddenly need access to an application.
Ensure your company policies enforce strict guidelines around changes in policies. Implement change control procedures enforcing a delay between an application request, and when your IT staff/ Service provider need to implement the change. This will give your team time to think about and setup the access correctly, rather than setting up a quasi temporary rule, which will never get removed and introduces risk down the track.
In conclusion- Zero Trust – Do you need it?
We firmly believe that every organisation can make use of Zero Trust, however how it is implemented is up to you. Not every organisation will want to log everything. Not every organisation will want to separate different types of servers from one another.
Our recommendation is to speak with your IT provider. If you feel they aren’t working on your infrastructure from a security perspective, ask around.
As always, I am always available through a variety of means, feel free to get in touch if you have any questions, or want to discuss how we can help with your infrastructure.