“There wasn’t so many issues like there are today. It was a simpler time,” said the American songwriter Wanda Jackson.
Jackson likely didn’t have agency security controls in mind when she uttered those words; however, they seem apt given the changes in the way agencies now operate and how that has impacted the way we think about security. If we go back even just a few years, securing users, applications and data that an agency used was relatively straightforward. Users were tied to their desks and applications, and data resided in a data center inside the agency.
Security was all about building a strong perimeter defense to keep the attackers out and keep agency data from being compromised or stolen. For the users who needed remote access, deploying a VPN solved that need. The security mantra was very much about trusting a user and device because it was “inside” the network, and granting network level access based on that fact. Inside = good; outside = bad.
But everything has changed. Users are no longer tied to their desks, and they now need access to applications and data no matter where they are and irrespective of the devices they use. It’s not just agency employees who need access to agency applications and data; there are contractors, temporary employees, vendors and other third parties who need that same availability of access.
Applications may still be located in the agency data centers, but apps are increasingly hosted on one or more public cloud services, and Software as a Service applications are being adopted by agencies to help accelerate the modernization of services.
The agency perimeter has evolved, and employees are now segmented into different user groups with different accessibility needs. Users are accessing applications that are no longer considered inside the perimeter of the agency. Trying to apply agency security controls using the methodology and tools that worked in simpler times is a very bad idea. Security that was built up over the past 20 years using stacks of security boxes has become so complex to manage and is now so fragmented that it appears relatively simple for the bad actors to infiltrate a network and remain undiscovered for months — and in extreme cases, for years.
This is evidenced by the recent data on government security breaches from Comparitech: 443 data breaches involving 168,962,628 records since 2014. It appears to be trending upward as well; 2018 was the worst year for data breaches, with 100 occurring and 81,505,426 records involved.
So, is there a better way?
How a Zero-Trust Architecture Can Help Agencies
A zero-trust model might be a very viable approach for agencies that now need to modify their security approach to deal with this new paradigm. While not a new concept, zero trust was first suggested as a concept by an analyst group from Forrester Research in 2010. It has now started to gain significant traction.
So, what is zero trust? In a nutshell, zero trust assumes that every user, every server and every request is untrusted until proven, and that trust is continuously and dynamically assessed every time a user or device makes a request to access a resource. It does not matter where the user is located, what devices they are using, if the resource is in a data center or is hosted on IaaS: Each transaction is suspicious until proven otherwise. This approach no longer relies on the trusted perimeter; in fact, the perimeter no longer exists, and there is no longer an inside or outside.
However, completely transforming to a zero-trust security model is not something that can be done overnight. The reality is that this is likely a multiyear strategic transformation project, as it takes time to implement these types of major network and security changes. Below are three tactical actions that agencies can take as a way to start their zero-trust transformation.
3 Ways to Get Started on a Shift to Zero-Trust Security
- Move from network access to per-application access. Giving full network access increases an organization’s attack surface, exposing the network to more threats and making it easy for bad actors to move laterally when they gain access. Access should be restricted to the applications users need to do their jobs; if they only need access to HR apps, then why should they have access to finance apps?
Start with apps that are easy to transition — for example, web-based applications or new apps that are being rolled out. Then conduct a zero-trust assessment to help develop a strategic plan to move from an agency’s current state to a zero-trust framework. The assessment would typically include profiling users and applications (who needs access to what) and reviewing the agency’s current security architecture. The plan should have a phased approach to moving all applications, including the agency’s legacy on-premises apps to that new framework.
- Eliminate your VPN for specific user groups. A zero-trust security framework requires that the agencies’ users stop trusting their endpoints implicitly and work to decommission legacy access — including VPN and privileged corporate Wi-Fi/Ethernet segments. Start by provisioning access based on user groups and roles, especially high-risk user groups such as contractors. Apply policies that couple roles to relevant access applications, which helps to reduce attack interface in the case of compromised devices.
- Start to reduce the complexity of your existing security stack. A traditional perimeter usually consists of numerous hardware or virtual appliances for access control, such as VPN appliances, identity providers, single sign-on and firewalls, and secure web gateways for application delivery and performance. Once the agency adds in redundancy and regional deployments, that can add up to a huge number of appliances that need to be deployed, managed, maintained and (let’s not forget) patched.
One approach to move from the traditional perimeter is to move to cloud-based security solutions. Start with integration of smaller locations where, instead of backhauling traffic to the agency’s central site for inspection and control, they could send some or all of that traffic direct to the internet via a cloud-based platform. That allows the agency to reduce the complexity of security at those smaller locations and to reduce the cost of backhauling traffic over expensive multiprotocol label-switching links.
The three key points to consider for transformation are controlling users’ access to agency assets and applications; using segregation by user groups, gradually reducing full access for an agency’s network once not necessary and eliminating VPN services to reduce threat surface; and monitoring agency entities and devices to limit authenticate access.
It’s not an easy task for agencies to completely transform into a zero-trust architecture; it’s a process that requires planning and careful execution. Yet, the evolving threat landscape has given us no choice but to pursue and adopt these changes.