Fifty years of computer network design have enabled big companies to share information and applications with employees around the world, keeping them in sync, growing businesses, and generating wealth. Networks are the fabric of globalization, and access to them is based on trust: If you have the right credentials, you are allowed in.
But the time for trust is over. All new employees — and every new digital device that they carry — increase the risk of bad actors on the outside (and inside) of an organization getting into its network and then moving from machine to machine to do mischief.
The only way to shut this door is to dismantle the privileged intranet and treat every login as a potential threat. (Some companies, albeit very few, have done this already.)
Most network breaches are caused by human error. People, no matter how well trained, will forget their laptops in bathrooms and cabs, connect to insecure public Wi-Fi at a café or restaurant, visit websites and click on emails they shouldn’t, and download, consciously or not, attachments carrying malware. Or they’ll pick up a thumb drive lying in a parking lot and plug it into their authenticated machine. This was how the U.S. Department of Defense (DoD) was breached in 2008 when a malware-infected flash drive was inserted into a military laptop at a base in the Middle East. The malware worm propagated itself across U.S. defense systems, sending data back to its masters, which DoD investigators believe were Russian. It took the Pentagon 14 months to contain the worm, and the incident led to the creation of the U.S. Cyber Command.
The root cause of this event was people being people, and as the workforce becomes more mobile and carries more self-provisioned devices (laptops, tablets, phones) that connect to the internet everywhere — and through that to government and corporate networks — those networks remain perpetually vulnerable to vandals and criminals.
To counter this threat, organizations burn considerable money and manpower managing client devices, and patching and monitoring their networks. None of these activities adds value directly, and every organization today is looking to reduce that workload and its attendant costs.
But as technology has progressed, no organization today really needs a network. It needs services. And it can have them without a network, through the cloud.
Instead of owning everything in your network — which you must defend with firewalls, monitoring agents, event managers, and client managers — in a zero-trust network, all the services an organization needs, including file sharing, collaboration tools, and email, are hosted in the cloud and accessed as a service. Client-server communications are limited to the specific service requested. If a device becomes infected, it cannot carry that infection inside a security boundary and contaminate other devices. There is no boundary, no trusted domain where an infected device can access servers containing critical information and data, because authentication is limited to that service, with separate approvals for other services. And the data stored for each service in the cloud is associated only with that application. Therefore, attackers may steal information from one person’s laptop, but they can tap into only those pieces to which that person has access (say, email, not billing) — not the full network with multiple servers, applications, and databases. Because the device and its user are not trusted to roam a network, the damage that can be done by any one hack is greatly limited.
Once an organization eliminates its proprietary domain, the costs of managing and securing it vanish, and network administrators and security people can be redeployed to more value-added activities.
In the zero-trust network, whether using a public or private cloud, client security is still managed by the company. In the public cloud, the service provider — for whom security is core to its business model and value proposition, not an add-on — provides the secure infrastructure, but companies still must authenticate their users and control their access to each application. There are tools that can assure security compliance prior to authentication and allowing access to a service. These tools do not require a domain to operate and can maintain client configuration and security thresholds over any communications link.
Role-based access, and the principle of least privilege, can be managed and automated through human resources systems rather than by network administrators implementing controls. Authorized access to services is controlled via authentication methods — such as tokens, biometrics, usernames, and passwords — that can be revoked as soon as a person’s employment is terminated or job status is changed.
For example, at Google LLC, which has pioneered the zero-trust network model, every service is assigned a minimum trust tier for access. A driver delivering a package, for instance, would be able to access an address, but not billing information. That would be a higher tier. This tiered approach reduces the maintenance costs associated with supporting a device that connects to a network (and, as an added benefit, simplifies and improves its usability). As a device is allowed access to higher tiers, Google shortens the time it has permission to access those services. This allows the company to ensure that devices with access to critical data are upgraded and patched expeditiously and continuously.
Having a zero-trust network does not require an organization to eliminate its existing network infrastructure. A small company might have no infrastructure, connecting every client directly to the internet at the wall plate. A larger one might choose, for economic reasons, to own its information infrastructure. But in a zero-trust network, the routers and switches now serve simply as data transportation between client devices and the cloud. There is no domain, and the network provides only for the lower three layers (physical, data link, and network) of the classic Open Systems Interconnect (OSI) seven-layer network model — for example, it transmits data between points, but does not manage user sessions.
In terms of security at cloud providers, these organizations not only encrypt the data they store, they divide it into chunks and store it on different servers in different places. Even if a hacker were to gain access to a server and manage to decrypt the data, only a random selection of the data could be read, not the complete data story. And while some managers may have a gut fear about storing valuable company data on a third-party cloud service — wouldn’t they have direct access to our private company data? — any contract with a reputable cloud provider expressly states that the client retains ownership of the data it stores on their servers. If a provider were to access the data itself, not only would that provider be in violation of the contract, but it would soon be out of business.
None of this is science fiction. With platform as a service (PaaS) and software as a service (SaaS), the passing of the traditional IT network is already proceeding in industry, especially in startups — with the security benefits manifest to anyone who cares to look.
In recent years, the U.S. National Security Agency was breached, and its cyber spy tools stolen. The WannaCry ransomware virus spread through the U.K.’s National Health Service network, crippling hospitals, putting lives at risk. And hackers walked through a website vulnerability at Equifax, exposing the credit information of 143 million U.S. consumers. There were more. There will be more.
It’s time to stop hanging security on so slender a thread as trust !!!