The reality of cybersecurity for businesses is that adversaries continually compromise systems and networks, and even well-managed breach prevention programs often face attackers within their perimeters.
On March 5, the National Security Agency continued to recommend best practices to federal agencies, releasing its latest cybersecurity fact sheet (CIS) on the Network and Environment pillar of its zero-trust framework. The NSA document recommends that organizations segment their networks to limit unauthorized users’ access to sensitive information through segmentation. That’s because strong cybersecurity measures can prevent compromises from turning into full-blown breaches by limiting all users’ access to areas of the network in which they have no legitimate role.
THE indications from the NSA It also allows security teams to present a stronger business case to management for security protection, but CISOs must define expectations because implementation is a complex, multi-layered process.
While the document is aimed at government organizations and defense-related industries, the wider business world can benefit from zero-trust guidance, says Steve Winterfeld, Advisory CISO at internet services giant Akamai.
“The reality is not [whether] “If unauthorized access incidents occur, you need to catch them before they become breaches,” he says. “The key is the ‘visibility with context’ that microsegmentation can provide, supported by the ability to quickly isolate malicious behavior.”
Companies have has undertaken Zero Trust initiatives to make their data, systems and networks harder to compromise and, when they are compromised, to slow down attackers. The framework is a solid set of guidelines for how to proceed, but implementing it isn’t easy, says Mike Mestrovich, CISO at Rubrik, a data security and zero trust provider.
“Most networks have evolved over time, and it’s very difficult to go back and redesign them while keeping the business running,” he says. “It’s doable, but it can be costly in both time and money.”
Here are six tips from NSA guidelines.
1. Learn all seven pillars of Zero Trust
The latest document from the National Security Agency delves into the fifth of the seven pillars of Zero Trust: the network and the environment. However, the other six pillars are equally important and show “how broad and transformative a zero trust strategy needs to be to be successful,” says Ashley Leonard, CEO of Syxsense, an automated endpoint and vulnerability management company.
“Network and Environment” is the fifth pillar of the National Security Agency’s seven pillars of Zero Trust. Source: NSA
“For companies looking to get started with Zero Trust, I strongly encourage them to review the NSA fact sheets on the user and device pillars, the first and second pillars of Zero Trust, respectively,” he says. “If a company is just starting out, considering the networking and environment pillar is a bit like putting the cart before the horse.”
2. Expect attackers to breach your perimeter
The Network and Environment pillar of the NSA’s Zero Trust plan is to try to prevent attackers from expanding a breach after already compromising a system. NSA guidelines emphasize the Violation of the 2013 target — without explicitly naming the company — because the attackers entered through a vulnerability in the company’s third-party HVAC system, but then managed to move across the network and infect point-of-sale devices with malware.
Companies should assume they will be compromised and find ways to limit or slow down attackers, NSA Director of Cybersecurity Rob Joyce said this in a statement announcing the release of the NSA document.
“Organizations must operate with the belief that threats exist within the confines of their systems,” he said. “This guide is intended to provide network owners and operators with the processes they need to thoughtfully resist, detect, and respond to threats that exploit weaknesses or gaps in their enterprise architecture.”
3. Map out the data flows to start with
The NSA’s guidance is a tiered model, in which companies should start with the basics: mapping data flows in their networks to understand who is accessing what. While other zero trust approaches have been documented, such as NIST SP 800-207 Zero Trust ArchitectureNSA pillars provide organizations with a way to think about their security controls, says Akamai’s Winterfeld.
“Understanding the flow of data primarily provides situational awareness of where and what the potential risks are,” he says. “Remember, you can’t protect what you don’t know.”
4. Move to macro-segmentation
Having addressed all other key pillars, companies should kick off their foray into the Network and Environment pillar by segmenting their networks, perhaps broadly at first, but with increasing granularity. Major functional areas include business-to-business (B2B) segments, consumer-facing (B2C) segments, operational technology such as IoT, point-of-sale networks, and development networks.
After segmenting the network at a high level, companies should aim to further refine the segments, says Rubrik’s Mestrovich.
“If you can define these functional areas of operation, then you can begin to segment the network so that entities authenticated in any of these areas do not have access without going through additional authentication exercises in any other areas,” he says. “In many respects, you will find that it is very likely that users, devices and workloads operating in one area do not actually need any rights to operate or resources in other areas.”
5. Maturation towards Software-Defined Networking
Zero trust networking requires that companies have the ability to quickly react to potential attacks, making software-defined networking (SDN) a key approach to not only pursue micro-segmentation but also to lock down the network in the event of a potential compromise.
However, SDN is not the only approach, says Akamai’s Winterfeld.
“SDN is more about governance of operations, but depending on your infrastructure it may not be the optimal solution,” he says. “That said, you need the types of benefits that SDN offers regardless of how you architect your environment.”
6. Realize that progress will be iterative
Finally, any Zero Trust initiative is not a one-off project but an ongoing initiative. Not only must organizations have patience and persistence in implementing technology, but security teams must review the plan and modify it as they face and overcome challenges.
“When thinking about starting your Zero Trust journey, their guidance on how to start with mapping data flows and then segmenting them is perfect,” says Winterfeld, “but I would add that it is often iterative as you will have a discovery period that will require updating the plan.”