What’s the right amount of trust to build in your network? Less than zero • The register


Paid functionality “The trust of the innocent is the liar’s most useful tool,” wrote Stephen King. At least that’s what the Internet claims.

But “proving” the provenance of this quote is surprisingly difficult. This is the problem with trust. It’s slippery, and when it’s misplaced, the consequences can be catastrophic. As we can see with cybersecurity, time and time again.

The pandemic highlighted what were already pervasive security concerns with trust, corporate networks and the internet. Working from home and remotely means that the “network” no longer corresponds to a particular location. This in turn highlights the existing shortcomings of VPNs (the traditional and secure way for remote workers to access the corporate network).

The whole model of a VPN is based on providing access to a location, whether that location, or network, either on-premises or in the cloud, says Andrew Sinclair, product manager at UK Managed Services and provider of iomart cloud. And that’s the problem with traditional credential-based authentication.

“People were able to log into a business just using a username and password. And then once they are delivered into the network, it is assumed that they are trustworthy.

But once inside, the user, or the criminal who hijacked their device or identity, has carte blanche to do whatever they want on that network, Sinclair explains. “They could scan the entire network, once connected, to find anything of interest or even attempt to access other systems. “

This ability of intruders to engage in “lateral movement” is the “number one reason businesses experience devastating ransomware attacks,” says Sinclair.

It is not an abstract challenge. IDC reports that more than a third of businesses have been affected by a ransomware attack, or a breach that has locked systems or data, in the past 12 months. “This is by far the biggest topic of conversation we have with clients, certainly over the past 24 months,” says Sinclair.

So who are customers turning to?

There is no doubt that customers are offered what Sinclair describes as “very expensive third-party network security burdens.” These promise not only security, but, for example, self-learning security powered by AI.

But these solutions are expensive. And if they are delivered as an appliance, enterprises face the problem of not only managing security, but also managing the device itself. They might also be faced with the prospect of duplicating these expenses and efforts at each key location.

But there are even more fundamental challenges with this approach, says Sinclair. “The problem with these tools is that the focus is on monitoring the corporate network, with the assumption that the corporate network is a safe place.”

A precarious world without borders

But in reality, businesses can operate in a hybrid, multi-cloud cloud, with multiple geographies and multiple customers, without the assurance that security controls will be consistent. “How can businesses ensure that their data is constantly secure with TLS over a sprawling network? Sinclair asks. “It’s an incredible challenge.

And it does not stop there. Because very few users, and their data, exist in a secure closed network. On the contrary, he says, “the reality is that your data is traveling from AWS to Azure to data centers around the world. “

So, “if you try to put the internal network back in a position of trust, then you’ve already lost.”

Instead, all networks should be viewed as untrusted and this is the basis of Zero Trust, or the concept of a software-defined perimeter. “The first principle is that the network is always supposed to be hostile,” he says.

Once you accept this, the second principle is easy to embrace. “You have to assume that external and internal threats still exist within your network at all times. “

From there, the third principle is that “the locality of the network is not sufficient to decide whether a user or device connected to this network is trustworthy or not”.

It’s easy to see how these principles match up with other modern networking concepts, especially SD-WAN, which ignores the network and access to different parts of it, away from the physical infrastructure.

So what does this mean in practice, for example in the Managed Software Defined Perimeter (SDP) service that iomart provides to its customers?

Safety, laterally

The starting point for all of this with the iomart service is installing an agent on the user’s Windows, Mac or Linux device.

Then the iomart security team “engages with the business and first does a discovery and tries to identify where all the key data points are in the business, whether it’s Microsoft Azure, Amazon or onsite at the data center. Then, our team designs the architecture and installs the software necessary for your users to connect to their applications wherever they are. And this is how the SDP service connects anywhere.

And then our team designs the architecture and installs the software necessary for your users to connect to their applications wherever they are.

When it comes to a specific user’s device, says Sinclair, “we can make sure that it has gone through the enrollment process and is an acceptable device. This provides additional context.

“We can show that the device is healthy, that it is fully patched, that the anti-malware agent is running, that it is updated. “Another contextual element is where the device connects from. After two years of connecting from your living room, a sudden connection from Venezuela should really sound the alarm bells.

Beyond this authentication, it is guaranteed that the device and the user are limited when they are “in” the network, to any services or data that they need to do their job.

“Trusted users are no longer let go in the network. They are connected directly to the application they requested. So, with just one serve, the challenges of lateral movement are overcome.

Whenever there is a security issue or an issue that alerts the SDP system, iomart’s SDP also writes to its XDR department, which in turn goes to the corporate security team. The offending device is disconnected from the network, while iomart’s security team will run a personalized playbook for each customer.

The triage process is followed by “lessons learned, determining how the malware entered, whether it was zero day malware or something similar”.

It’s important to remember that in addition to the SDP agent, Sinclair says, “you still need some type of deep anti-malware security. We recommend that whatever agent you use, it is usually some type of XDR agent that if something goes wrong will report to a SIEM system (security information and event handling).

Overall, this gives administration teams “the confidence that there is a layer of control – which may not have existed in the past.”

This applies to people inside and outside the office, as the policies apply to the entire company, not to a geographic area.

“The administration team can rest assured that when someone logs into the network we know who they are, we know their device is healthy. And we know they’re only going to connect to the things they should connect to.

Adopting this model can be a big step for organizations that previously focused their security strategy on something very smart and very expensive at the grassroots. But, says Sinclair, “A lot of companies have spent a lot of money investing in a lot of expensive tools. And they’re still not sure how much value it brings to them. “

Securing the remote user is just as important as advanced security controls on the servers that run the applications, he says, noting that nine out of ten security forays start at the client level.

Sinclair recommends that companies use mitigation technology that can easily express its value. The cost of an SDP managed service will typically be slightly more per user than the average cost of an AV service, meaning even the smallest business can afford to increase their level of security significantly, he says.

Which brings us back to Stephen King’s alleged quote on trust. It turns out to be a Stephen King novel. But proving this is tricky and laborious. It’s another thing about trust. Sometimes it makes sense for someone else to do all the hard work.

Sponsored by iomart.


Comments are closed.