Johannesburg, 19 Apr 2022
Organisations need to move from a perimeter-based security model to an endpoint-centric Zero Trust security model to better protect remote and hybrid workforces and increasingly cloud-based environments.
This is according to Milad Aslaner, head of technology advisory group at SentinelOne, who was addressing a webinar on achieving a Zero Trust security model. He said moves to a Zero Trust model were accelerating worldwide.
A poll of webinar participants found that 11% had already completed Zero Trust projects, 22% had projects planned within the next 3- 6 months, 27% planned projects within the next 6 – 12 months and 38% said they were not planning to move to a Zero Trust model.
“A true Zero Trust security model can’t be achieved overnight, by enabling one capability or by buying a single product – it requires a great deal of planning,” he said. “Beyond the buzz and noise of marketers, organisations need to understand the net benefits to move to Zero Trust more actively.”
“The fundamentals of Zero Trust are not new per se, it existed long before it moved to the cyber security world. Never trust, always verify has always been the approach in the military, and we are now adapting the concept from physical security and extending it into the cyber space. The second principle is ‘assume breach’. It’s not about if you will get compromised, but when you will get compromised, and about preparing accordingly. You also need to verify explicitly to grant in time access for legitimate users and healthy endpoints,” he said.
“I believe the reason why it has become so important for organisations, is that the way we work today has changed dramatically, with more mobile workers than ever. This makes the old perimeter security model ineffective. We are also seeing more cloud adoption, with IaaS, SaaS, and a further push to cloud during Covid. User identity is required for employees, partners, applications, contractors and customers; and the number of corporate endpoints has increased. Applications are accessible from anywhere in the world and volumes of data have increased massively.”
The legacy perimeter-based security model has limitations in dealing with this new environment, he said. As a result, there is a lot of interest moving from a legacy, perimeter-based model to a Zero Trust perimeter-less security model with continuous verification, and in-time access for trusted entities to corporate networks and services.”
Aslaner explained that the principles of Zero Trust are never trust, always verify, assume an adversary has breached the environment, and be explicit in verification. “Treat every user, endpoint, application or workload, and data flow as untrusted. Authenticate and explicitly authorise each to the least privilege required. Operate and defend resources with the assumption that an adversary already has a presence within the environment. Deny by default and scrutinise all users, endpoints, data flows, and requests for access. Dictate access to all resources in a consistent and secure manner using multiple trust signals for contextual access decisions,” he advised.
Aslaner said: “The building blocks of a Zero Trust security model are defining the protect surface; mapping transaction flows; monitoring and maintaining the environment; creating Zero Trust policies and architecting the environment. Zero Trust requires visibility, analytics, and automation. Once we have the foundation in place, we need to address four key pillars: endpoints, workloads, users’ identity and networks as the cornerstones of Zero Trust.”
Aslaner outlined three Zero Trust maturity levels on the journey to an optimised Zero Trust model:
- Traditional – with manual configurations and attribute assignment, static security policies, least-function established at provisioning, proprietary and inflexible policy enforcement, manual incident response, and mitigation capability.
- Advanced – with some cross-solution coordination, centralised visibility, centralised identity control, policy enforcement based on cross-solution inputs and outputs, some incident response to pre-defined mitigations, some least-privilege changes based on posture assessments.
- Optimal – with fully automated assigning of attributes to assets and resources, dynamic policies based on automated/observed triggers, assets have dynamic least-privilege access (within thresholds), alignment with open standards for cross-pillar interoperability, centralized visibility with retention for historical review.
Source: Identity Defined Security Alliance, www.idsalliance.org. Identity Security: A Work in Progress
Share