The outmoding of traditional network security
Traditional network security was based on the concept of a guarded network perimeter, which is difficult to access from the outside but implicitly trusts everyone on the inside. The problem with this approach is that once an attacker has access to the network, they are free to move laterally and escalate privileges to reach critical assets.
Today, 58 percent of sensitive data security incidents are caused by insider threats. While these threats may originate from negligent or malicious employees, they can also be external cybercriminals who bypassed perimeter controls using a compromised user account. In both cases, insider threats can be difficult to identify or prevent since they are often invisible to perimeter security solutions like firewalls and intrusion detection systems.
To make matters worse, in many instances there exists a dysfunctional, ambiguous separation of roles and responsibilities in the security program between security teams and DBAs/Application owners. This can create significant challenges for organizations looking to mitigate the risk of attackers entering their networks. In this post, we’ll define the fundamentals of what a Zero Trust security model looks like and explain what steps you must follow to ensure you can implement one that is consistently effective at protecting applications and data.
Enter the Zero Trust security model
In this model, security teams require rigorous authentication of users and devices attempting to access resources, whether they are inside or outside the organization’s private network. Given today’s realities of data and systems being distributed among on-premise data centers and cloud providers and employees transitioning to remote work; the Zero Trust security model may be the clearest path to achieving consistent security controls.
In a Zero-Trust security model, no user is trusted — whether inside or outside the network. Security solutions continuously verify that each user and device can only receive access to the specific resources they need, being sensitive to the time, location, and nature of the activity. Anomalous access is immediately detected and acted upon by security teams.
This sounds fairly straightforward, and it is. For a Zero Trust security model to succeed, however, organizations must create a suitable environment that includes specific fundamental functionality. This starts with rigorous data activity monitoring (DAM) of all data repositories. The model must also feature strong analytics, automated threat detection to reduce the risk of account hijacking, and orchestration to make verification easier and affect faster responses to data misuse.
Here are five essential competencies an organization must demonstrate in order to create an effective Zero Trust security model:
- The keystone goal of a Zero Trust security model is reducing risk. The first step is using agent-based and agentless DAM to determine which user did what, where, and when – on-premises and in the cloud. You cannot reduce the risk to data if you are not monitoring effectively.
- Use behavior analytics effectively to eliminate false positives and dramatically reduce alert fatigue. This is easier said than done. Optiv reported that 32 percent of IT professionals ignore alerts because of so many false positives.
- Identify and classify sensitive data. Not all data is created equal and you need to know what data is more important to secure. Here again, this is no easy feat. Many organizations have a sensitive data management gap to address. 54 percent of companies have reported not knowing where their sensitive data is stored. Furthermore, 65 percent say they’ve collected so much data that they’re unable to categorize or analyze it.
- Use vulnerability assessments to reduce the threat surface and identify configuration errors that could enable external and internal attacks. In broad terms, a vulnerability assessment systematically reviews your system for potential security weaknesses, assigns them severity levels, and may recommend remediation or mitigation. Vulnerability assessments are very good at sniffing out unnecessary privilege escalations and poor insider security practices, such as guessable admin passwords.
- Make data access entitlements part of your organization’s narrative for data security. At the data layer, gain expert understanding and control of data access entitlements. Move to minimal privileges across the board whenever possible and let security own the policy. Find out who is doing what, then limit access to who should be able to do what.
What stops the Zero Trust security model from succeeding?
Quite simply, very few organizations have the fundamentals in place to support a Zero Trust security model. Zero Trust as a security concept was introduced in 2010 by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST). Eight years later an IDG Security Priorities Survey reported that while 71 percent of security-focused IT decision-makers are aware of the zero trust model, just eight percent were actively using it in their organizations and another ten percent were piloting it. The relatively slow adoption is likely related to limitations in organizations’ existing data security systems. As outdated, perimeter-based security defenses are shown to be porous and indefensible, more organizations must up-level their data security solution. Zero Trust offers a model that clearly aligns better with the contemporary IT landscape, where the distinction between insider and outsider is largely irrelevant.
Getting your organization ready to implement a Zero Trust security model? Imperva can help. Contact a solutions representative.
Try Imperva for Free
Protect your business for 30 days on Imperva.