{"id":27979,"date":"2022-03-30T07:53:53","date_gmt":"2022-03-30T07:53:53","guid":{"rendered":"https:\/\/cyberleadershipinstitute.com\/?p=27979"},"modified":"2023-12-11T08:30:48","modified_gmt":"2023-12-11T08:30:48","slug":"the-7-proven-essentials-cisos-must-consider-to-master-zero-trust","status":"publish","type":"post","link":"https:\/\/cyberleadershipinstitute.com\/the-7-proven-essentials-cisos-must-consider-to-master-zero-trust\/","title":{"rendered":"The 7 Proven Essentials CISOs Must Consider To Master Zero Trust\u00a0\u00a0"},"content":{"rendered":"
<\/span><\/p>\n Zero Trust has transitioned from a buzzword to the centre of most cyber resilience strategies far more rapidly than many CISOs ever predicted. According to Grand View Research, Inc<\/a>, the global Zero Trust security market size is expected to reach USD 59.43 billion by 2028, registering a compound annual growth rate (CAGR) of 15.2% from 2021 to 2028. The rising need to protect digital enterprise environments underpins the rapid Zero Trust adoption. Solutions such as preventing lateral movement, leveraging network segmentation, simplifying user access control, and implementing layer 7 threat prevention work to protect computers, programs, and networks from unauthorized access.<\/span><\/span><\/span><\/span><\/span><\/p>\n In this blog, co-written with one of CLIs distinguished Alumni, Ashwin Ram<\/a> (Cybersecurity Evangelist, Office of the CTO at Check Point), we simplify Zero Trust, discuss its benefits and offer practical ways CISOs can deploy to cost-effectively bake Zero Trust into their strategies.<\/span><\/span><\/span><\/span><\/span><\/p>\n What is Zero Trust?<\/strong><\/span><\/span><\/span><\/span><\/span><\/p>\n Zero Trust is a security framework or model, not a specific technology. While many vendors tout their products as panaceas to Zero Trust, it\u2019s important to remember, as one expert put it<\/a>, that \u201cZero Trust isn’t a single piece of software you can install or a box you can check, but a philosophy, a set of concepts, a mantra, a mindset.\u201d<\/span><\/span><\/span><\/span><\/span><\/p>\n At its core, Zero Trust eliminates implicit trust within an organization\u2019s<\/a> IT infrastructure. Access is granted or denied based upon the access and permissions assigned to a particular user according to their role within the organization. But as most CISOs have learnt the hard way, no single framework, including Zero Trust, can stop high-profile cyber incursions. A recent article<\/a> states that \u201cWhen prevention fails, (and it will), this approach will contain the spread of a breach, and minimize the impact and consequence for a business.\u201d<\/span><\/span><\/span><\/span><\/span><\/p>\n Under Zero Trust, users, devices, and applications are granted the minimum access permissions required to carry out specific functions. Under the traditional security model, a VPN user is granted full access to the network. Assuming this user\u2019s credentials are compromised, as was the case in the Colonial Pipeline breach<\/a>, the threat actors can easily traverse the networks and compromise several unrelated assets. But the principle of least privilege and \u2018default deny\u2019 advocated by Zero Trust limits the damage to a specific system the user is authorized to access. <\/span><\/span><\/span><\/span><\/span><\/p>\n Why Should CISOs Build Zero Trust into their Cyber Resilience Strategies? <\/strong><\/span><\/span><\/span><\/span><\/span><\/p>\n For the first 20 years or so of the internet, our networks were simple; companies invested in perimeter defences (firewall, proxy servers, email security gateways, intrusion prevention systems, etc.) to limit their exposure to internet threats. Any traffic emanating from outside the network was untrusted and potentially harmful, while anything inside this perimeter was considered safe and trusted. This approach worked for a while, but times have changed.<\/span><\/span><\/span><\/span><\/span><\/p>\n Historically protected by firewalls, antivirus software and segmented networks \u2014 the traditional enterprise network perimeter<\/a> is fast dissipating. More and more enterprises are migrating mission-critical applications into the public cloud, fuelled by the promise of greater financial flexibility, the ability to deliver infrastructure on the fly and faster time to market. COVID-19 has changed everything \u2014 employees are working remotely and logging into enterprise networks from their mobile phones, home computers and other unknown devices. Furthermore, the supply chain keeps getting more complex, with businesses looking beyond their geographies to address supply chain issues.<\/span><\/span><\/span><\/span><\/span><\/p>\n Simply put, the traditional perimeter security approach can no longer keep up with the demands of today\u2019s fast-changing digital environment, let alone stealthy cyber threats that can easily evade traditional security defences. Zero Trust offers three formidable benefits:<\/span><\/span><\/span><\/span><\/span><\/p>\n The Seven Essentials Of Zero Trust<\/strong><\/span><\/span><\/span><\/span><\/span><\/p>\n 1. Zero Trust Network <\/strong><\/span><\/span><\/span><\/span><\/span><\/p>\n One of the biggest challenges for CISOs over the last decade was limiting lateral threat actor movement. Cybercriminals keep exploiting weaknesses in one system and quickly move across to compromise crown jewels. So, the first essential we recommend is that CISOs redesign their network infrastructure to isolate digital assets into different segments based on risk.<\/span><\/span><\/span><\/span><\/span><\/p>\n A segmented network makes it significantly harder for an attacker to compromise one system and hop on to others. This requires physically or logically separating high-value digital assets, such as industrial control systems (ICS), systems that hold payment card data or those that process high-value payments. Once this is achieved, restrict access to high-risk network zones based on a strict need to-do\/know basis, opening connections only to those systems and users. Furthermore, CISOs must deploy advanced security threat prevention controls at the application layer to inspect the flow of traffic between segments. Performing deep packet inspection in the core of your network offers an additional critical control to detect and deter attacks.<\/span><\/span><\/span><\/span><\/span><\/p>\n 2. Zero Trust People<\/strong><\/span><\/span><\/span><\/span><\/span><\/p>\n According to the Ponemon Institute\u2019s 2021 Cost of a Data Breach Report<\/a>, compromised credentials was the number one attack vector successfully exploited by cybercriminals. Humans will always make mistakes, intentionally or otherwise. Therefore, it is essential that CISOs complement their cyber awareness with technical controls to minimize the threats associated with stolen credentials<\/a>. For example, minimizing the number of complex passwords users should maintain through single sign-on, reinforcing access control through MFA, protecting superuser credentials through a commercial privileged access management solution, and context-aware security policy enforcement.<\/span><\/span><\/span><\/span><\/span><\/p>\n Here are additional questions CISOs should ask to ascertain the effectiveness of their controls:<\/span><\/span><\/span><\/span><\/span><\/p>\n 3. Zero Trust Data<\/strong><\/span><\/span><\/span><\/span><\/span><\/p>\n Needless to say, Zero Trust is fundamentally designed to protect data, whether in use, at rest or in motion. Here are five primary controls CISOs should consider when building Zero Trust into their strategies.<\/span><\/span><\/span><\/span><\/span><\/p>\n 4. Zero Trust Devices<\/strong><\/span><\/span><\/span><\/span><\/span><\/p>\n At its core, the Zero Trust security model recommends treating every device connected to the network as untrusted and potentially hostile. This includes not only laptops and servers but also mobile phones, IoT (Internet of Things) and OT (operational technology) devices. It is critical that you have the ability to isolate compromised devices in your environment as quickly as possible. This requires designing a network infrastructure to isolate your digital assets into different segments based on risk and implementing a context-aware security policy that adapts to the posture of devices in your environment. For instance, you could ask the following questions:<\/span><\/span><\/span><\/span><\/span><\/p>\n 5. Zero Trust Workload<\/strong><\/span><\/span><\/span><\/span><\/span><\/p>\n Most enterprises struggle to protect their cloud-based workloads due to cloud ecosystems\u2019 dynamic and ephemeral nature, especially when moving from IaaS (infrastructure as a service) to serverless and containers. Cloud assets are stood up at the click of a button, which can lead to a host of misconfigurations issues. Unsurprisingly, cloud misconfiguration was cited as the third most exploited attack vector by the Ponemon Institute’s 2021 Cost of a Data Breach Report.<\/a><\/span><\/span><\/span><\/span><\/span><\/p>\n To minimize this risk, CISOs must place a heightened focus on cloud security visibility and adaptive policy enforcement. Automated controls must continuously monitor cloud infrastructure for gaps in security policy enforcement, while adaptive security controls must enforce the principle of least privilege. Furthermore, cloud security teams must enforce segmentation and micro-segmentation using advanced threat prevention security controls. For instance, the team can implement a hub and spoke network in which traffic from each spoke traverses through a hub, which enforces advanced security controls.<\/span><\/span><\/span><\/span><\/span><\/p>\n\n
\n
\n
\n