Man the barricades? The future of the network fortress

zero trust network

In the Middle Ages, technical and economic forces brought to an end centuries of military theory, as city walls became ineffective, irrelevant and even counterproductive. A similar disruption is happening now, but this time inside corporate networks.

Enterprise network as the fortress

Managing information security for corporate networks has always been difficult. For starters, the adversarial pursuit associated with IT security has always been a disruptive force since well … certainly well before the word disruption became trendy.

But the bigger challenges — the ones that mean we really need to change the way we think about information security — are the changes to the nature of the corporate networks themselves.

In short, I’m not sure corporate networks are going to exist in the future – certainly not in the terms we currently think of them.

In the past, we relied heavily on network segregation to protect corporate assets, information and systems.

The theory was pretty simple: Build a wall putting good guys on the inside and the great unwashed on the outside, and then carefully control what comes in and goes out through a gateway(s).

In this model we concentrated our defences on the points where information flowed in or out of our network, and used terms like choke point, bastion, inspection point and firewall to describe the controls.

This approach has two problems.

The first is that our ability to meaningfully inspect traffic coming in and out of the fortress isn’t keeping up with the threats. It’s a challenge InfoSec has always had, but now innovation – web, digital, cloud – has accelerated the problem, giving cyber crooks and other bad guys too many new opportunities to attack.

Our fortress goes virtual

The second problem is that it’s not just the security arms race that is emasculating our virtual fortress. Our users (the good guys) no longer want to live inside the fortress; they want to access enterprise information and systems from wherever they are, via the now ubiquitous Internet, and they want to use whatever device they have in hand. The assets we are charged with protecting are also rapidly decamping beyond the castle gates into the cloud.

The battleground has moved. The challenge now is making sure we have the right capabilities in the right places for the next round.

Decouple and conquer

This challenge to deliver services securely anywhere and anytime means we need to “decouple” network security from network topology. In other words, our ability to protect assets, information and users can no longer be contingent on them living inside the fortress; the protection needs to go with them to wherever they want to be or where market forces increasingly dictate they need to be.

The first part of addressing this change is addressing our thinking. Avoid thinking of networks as being divided into trusted, untrusted and semi-trusted. While such terminology isn’t entirely without value, those labels can lead to dangerous assumptions.

For example, when a system in the trusted part of the network is compromised, it can potentially leverage this trust to attack its neighbours. What’s more, it can usually go about this task without fear of being detected by the corporate defences, because they’re mostly focused on the boundary between trusted and untrusted parts of the network. The classic analogy is the Trojan Horse; once it got inside the fortress of Troy, Greek soldiers emerged overnight and created havoc.

Enter the Zero Trust Network

A conceptual model that helps us understand how to address this challenge is the Zero Trust Network.

The premise of Zero Trust is that trust shouldn’t be assumed between network actors regardless of location.  It follows that protection should be applied to the smallest indivisible network actors. Laptops, smartphones, servers, desktops, storage … every network participant needs to protect itself.

Zero Trust gives us a model for addressing the existing security challenges within the fortress: You can’t trust your neighbours just because they live in the trusted zone of the network.

Zero Trust also gives us a model for dealing with users and systems that live outside the fortress. Its fundamental principle has universal applicability: Every network participant needs to protect itself.

That might sound like: “Every man for himself!” but that’s not the intent at all. Rather, it’s that the point of protection (the policy enforcement point) needs to be pushed as close as possible (and ideally onto) the endpoints.

However, the best overall security posture will be achieved if these endpoints act as a unified whole. For example, if you install endpoint software with an intrusion prevention capability onto your 2,000-strong desktop fleet and you tie the alerting capability from the endpoints together, then you have just created a 2,000-strong IPS sensor network.

Sounds great, what’s the catch?

Of course, Zero Trust isn’t without its challenges:

  • Massively increased number of configurable items. You think it’s tough looking after a few firewalls? Try looking after 2,000! Good management consoles, standardisation and policy-driven configuration will be essential.
  • Endpoint readiness. Products are still developing capability and lag traditional network security appliances in being ready for Zero Trust, but many vendors now understand the strategic imperative.
  • Our own readiness. Zero Trust is such a fundamental shift that many network security practitioners simply don’t yet get it.

Pressure from cloud, mobile workforce and the changing nature of corporate networks is going to disrupt much of the existing, fortress-based approach to information security. But the reality is, those defences have been crumbling for years.

Predictably, many IT security experts are responding by either trying to extend the fortress or build more fortresses; and that strategy will remain valid in certain situations.

But Zero Trust offers us a model for consideration which treats both the shortcomings of our current security model and, equally importantly, positions us to support the likely future state of corporate networks.


Clem Colman

Clem Colman is an experienced business leader and IT Security specialist. He is National Lead – Cybersecurity Centre of Excellence for Consulting ANZ, and Director of Operations, DXC Saltbush.

 

RELATED LINKS

Enterprises could (but often don’t) do this one thing to dramatically reduce risk

Cool security tools your mobile workers just might use

Want good IoT security? It’s up to each and every one of us

Comments

  1. John Hodgson says:

    Clem, The military replaced the City Walls with a series of trial defensive strategies (almost none worked for more than a period of 50 years), ending in the trenches of WW1, also not working as intended as they stopped either side achieving their objectives for 4 long war years. Modern theories of Defence and Attack are largely based on 5 and more dimensions to be managed and dominated (the 3 physical (air, sea & land), 1 Intellectual (knowledge),1 meta-physical (morale, intent), Time, and possibly Planning prowess.

    If we manage these better than our opponent, eventually we prevail. But if we allow escalation beyond the selected field of battle, our business assets become damaged as the opponent finds new ways to reach and damage them in ways we find unacceptable. Terrorism is an example, so is a nuclear war, also genocide.

    I am not sure that we SHOULD draw analogies to military domains, but it may be inevitable given the growing dependency we have on data, its use, storage and communication…. I understand why we may be drawn to the medieval example, it “seems” like a good fit, but more recent military technology examples might be more relevant. The military engineering we see in both defensive and offensive cyber security methods of 2010-20 are more relevant; as is the multi-faceted alliances that our world now relies on.

    Unfortunately, your great article didn’t have room to address these other aspects of modern cybersecurity conflict, but I would be interested in considering their importance at a future opportunity.

    Regards, John Hodgson

    Like

Trackbacks

  1. […] Man the barricades? The future of the network fortress […]

    Like

  2. […] Man the barricades? The future of the network fortress […]

    Like

  3. […] Man the barricades? The future of the network fortress […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: