The dissolving network perimeter is forcing IT leaders to accelerate their network and security transformation. To better manage risk, security programs should be refocused for today’s cloud-native world with consistency of controls that reliably protect against unauthorised user access. Read on to discover how to gain consistency in your cybersecurity controls with zero-trust authentication processes.
At the beginning of the pandemic, we saw a rush to get every company operating from the cloud and provide employees with the ability to work from home. Some companies issued admin credentials in-house so that people could access files remotely, while many others turned to service providers, which suddenly offered crash courses for an emergency VPN. At that stage, people believed that VPN seemed to be the only route forward. In a panic, some organisations procured cloud tenants and accounts without considering authentication management, leading to poor security control set-ups. But when we look at the bigger picture, we’ve got to question whether what we did before is right…
‘Martini’ Security: “Anytime, anyplace, anywhere”
Whether you’re working at home, in a coffee shop, on the train, or in the office, your network must have the same level of protection. ‘Martini’ security: “Anytime, anyplace, anywhere” is a mentality we should adopt going forward, especially since the impact covid-19 has had on the ever-changing threat landscape. It’s all about consistently managing security controls for who can connect and run the applications they need, regardless of whether it’s on-prem or off-prem, virtual or otherwise, such as g-suite, Microsoft 365.
The ‘w’ questions to ask when building your policy controls
To put ‘martini’ security into practice, ask yourself the ‘w’ questions such as who, why, where, and when? Consider what time your employees are logged into the server, where from, which device they use and which files they need access to. This will allow you to build an environment with a complete view of what things should look like in terms of security, data sharing and privacy requirements. In the future, these controls will become the standard that cannot be adjusted and will request the reauthorisation of a user when an anomaly arises.
In the olden days, you would build big strong walls and a single gateway into a castle. You challenged people at the gateway and once trusted, allowed them free reign to wander inside anywhere they like. But what if we put guards at the entrance to the treasury, the storehouse, and the armoury and challenged people before they were allowed to enter each room? We could then open up the drawbridge to the public because we won’t trust them to enter one of the castle rooms until they prove their identity. However, this only works if you are consistent in challenging every person entering every room.
Adopting a zero-trust policy will drive a consistent approach to everything you do. Build the controls to ask the right questions of your systems and people and set off alarm bells when those consistencies aren’t met. There is no trust and no privilege. The policy is set to drive authentication for everything, i.e. the device, user, or application. Thus, the need for a VPN is therefore left redundant.
Just as we can get rid of the drawbridge and portcullis at the castle, everything can become a dirty network and potentially, there is no need for a firewall. This means your applications and network can become public-facing because it’s all controlled by a complete policy of zero-trust authentication. Instead of connecting through the office to the enterprise data centre, to then go out of the data centre to connect to where you’re working, the solution is to make all your apps public-facing and secure according to the policy you created utilising the ‘w’ questions.
So, how does a user prove they are who they purport to be? Think about your identity as an individual, your fingerprint on your phone, the apps you use, your smartwatch showing your heart rate, the speed and style of which you type… there’s an abundance of data to be interrogated. Thus, allowing users to prove who they are in a format almost impossible for threat actors to spoof.
Eat, sleep, authenticate, repeat
With the network perimeter dissolving and organisations adopting hybrid working, the need for a zero-trust approach has never been more prominent. Adopting a ‘martini’ style approach to network security will allow employees to work from any location with the same level of network protection. To build consistency within your controls, strong identification methods are required to constantly force users to reauthenticate themselves. As we move forward, we’re likely to see a world using the virtual ‘public’ network, not a virtual private network. Ultimately, if you treat systems and people without consistency, you will experience a breach; it’s only a matter of when.
For more information on consistency of controls and how to adopt a ‘martini’ style network, why not check out our webinar hosted by the SASIG, featuring Secrutiny’s CEO and Co-founder, Ian Morris.