What is the Zero Trust Triangle and what is required for it to provide a solid defense against would-be attacks from all angles?
2021 is well on its way to being another bumper year for cybercrime, with businesses expected to suffer an estimated $6 trillion in total damages, worldwide. When averaged out across individual companies, this equates to more than $13 million per company, although not every company will suffer equally.
The traditional corporate perimeter had already begun to fray at the edges before the advent of COVID-19, but corporate responses to the pandemic have accelerated the process. Specifically, IT trends such as migration to the cloud and increasing adoption of remote work have had a major impact on organizations’ cybersecurity posture and processes.
We have already seen that traditional security measures are proving to be ineffective against increasingly innovative attackers. Migration to cloud computing and increasing volumes of work done by remote and home-based workers have accelerated many IT trends and unfortunately exposed many new vulnerabilities for cybercriminals to target.
One big issue organizations face is that traditional security measures conflate authenticated users with trusted users. Once a user is authenticated, they have a certain level of access to the organization inside the perimeter. While they may not be authorized to use every resource they can see, they can still see every resource. This means that an attacker—or malicious insider—with basic network access and some reconnaissance tools can do serious damage to an organization.
Redefining the Perimeter with Zero Trust and Microsegmentation
Under a Zero Trust security model, every user on the network is treated as potentially hostile. This approach can be a lifesaver for companies attempting to adapt to a work-from-home environment. How does it work?
One of the central ideas behind Zero Trust is that even an authenticated user should not necessarily be trusted. Therefore, a Zero Trust approach requires security technologies that:
- Employ multi-factor authentication (MFA) ID to verify user identity
- Continue to re-affirm user identity and access privileges at at any new juncture—every time users want to access a new resource
- Monitor activity in real time and flag administrators if suspicious activity is detected
- Create an air gap between enterprise resources and the public Internet (for example, by using advanced technologies such as remote browser isolation (RBI)
- Implement “least privilege access” and microsegmentation to limit user access to only the resources they need
Microsegmentation for Application Access
Microsegmentation, also referred to as identity-based segmentation, is a key component of any Zero Trust technology suite. As the name suggests, this technology creates extremely small network segments. Each segment is associated with a single user and only connects with the resources that the user is allowed to use. Once resources are microsegmented, access to each segment can be further restricted based on contextual factors—such as whether the user is trying to access the segment remotely or via an internal office connection.
In more advanced implementations, users may be barred from even seeing which other apps and data are present on the network. Thus, as far as the user is concerned, nothing else exists. In other words, if a user is only authorized to use MS Word, email, and a single database directory, they shouldn’t be able to see any other tools and resources at all—or detect them with a copy of a network scanning tool like Nmap. Accessing a new resource requires explicit permission from a supervisor or administrator, and the user needs a good reason for the request to be granted. By applying segmentation rules down to the application level, IT can reduce an attacker’s ability to move laterally through the organization’s network.
How Do Zero Trust Technologies Work Together to Create Security?
A holistic Zero Trust defense against attackers requires more than simply ticking off items on a checklist. The various technologies need to work together seamlessly to create a solid defense.
For example, while any form of MFA provides better verification of a user’s identity than a simple username and password, an Identity and Access Management (IAM) system that also uses contextual information such as browser cookies, device location, and IP address to continuously reaffirm the user’s identity throughout the session. Thus, if an attacker manages to take over a user’s session while they’re still logged in, the IAM system should be able to detect this and flag an administrator, restrict the user’s access to sensitive resources or even boot them out of the session altogether.
However, this tactic isn’t foolproof. If someone manages to get past MFA, other elements of the Zero Trust defense will kick in.
For instance, suppose an attacker has managed to hack into your boss’s email account. When you next check your email, you see an urgent message from your boss asking you to put the finishing touches on a project your team is working on. You click the link in the email without thinking twice. Congratulations, you’ve just infected your device with malware, perhaps even ransomware.
Organizations can guard against these types of attacks, as well as other web-based threats, with Remote Browser Isolation (RBI). RBI applies a Zero Trust approach to external, browser-accessed resources such as websites. With RBI, internet access is air-gapped via a remote virtual browser, thereby preventing web-based threats from reaching the endpoint. Here’s how it works:
- The user accesses a virtual browser hosted in a container in the cloud, completely isolated from the organizational network
- The virtual browser executes each page the user browses, and streams interactive rendering data back to the user’s endpoint browser
- Any malware in the website remains within the remote browsing environment, and the endpoint is untouched
- The remote browsing environment is destroyed along with the malware, when the user stops browsing
How Does Microsegmentation Put the Capstone on Zero Trust?
Let’s say that the worst happens—an attacker manages to circumvent both RBI and MFA. Now they’re inside the network, and there’s no way to know they’re there. Their next move at this point would be to try to move laterally, or “east-west.” This means that they’d try to infect additional applications, harvest more credentials, and level up their permissions until they find sensitive or valuable data.
With microsegmentation, the damage an attacker can do is limited, as each user is granted access to only the specific apps and data they need in order to do their job. In an organization with hundreds or thousands of people, a single employee probably doesn’t have access to enough information to be interesting to an attacker. What’s more, the attacker can only use that employee’s access within that small microsegment of the organization, while unauthorized lateral movement within the data center or to other resources is prevented. At this point, the attacker might simply abandon their hacking attempt and try a less well-defended target.
In this way, RBI, MFA, and microsegmentation augment each other—like the three sides of a pyramid—to protect your organization from all angles. If an attacker manages to evade your defenses from any one angle, the other two angles can still blunt the effect of their attack. By making it much harder to steal credentials, authenticate using stolen credentials, or leverage a single compromised node to crack open your network, Zero Trust helps ensure that even the most dedicated cybercriminals will find it difficult to execute a successful attack.