Taking Your Zero Trust Strategy to the Endpoint
Twenty percent of organizations recently admitted that a historic cyberattack almost rendered them insolvent. That’s pretty sobering information in a world where threats are rising, geopolitical tensions are sky-high and the cybercrime underground is thriving. CISOs could be forgiven for wondering if now might be the time to join the Great Resignation and find a less stressful means of employment.
Help is available. Although by no means a silver bullet, Zero Trust offers a smarter way to manage enterprise cyber risk. The key is to understand all three elements: the user, what data they’re trying to access and – most critically - the status of their endpoint.
No More Castles, No More Moats
Traditional network security was built around a simple idea: a locked-down perimeter through which all users had to pass if they wanted access to the network assets within. Once they authenticated and passed through this “moat,” they were trusted implicitly to wander freely inside the castle grounds. Until recently, this was referred to as network based Zero Trust. It’s more correctly an “implicit trust” implementation.
The problem with this setup is pretty obvious. If a user’s credentials are stolen, it becomes rudimentary for an attacker to gain network access. If little security is focused inside the perimeter, attackers are left largely undisturbed to move laterally, steal data and deploy malicious payloads.
The pandemic accelerated the idea of Zero Trust. The world is no longer as simple from a computing perspective as it once was. IT environments are distributed across home working endpoints, cloud applications and infrastructure. That puts more pressure on IT to control access depending on what data or applications the user is attempting to reach. It makes the endpoint effectively the new perimeter.
But what if those endpoint devices are unpatched and misconfigured or connecting through unsecured Wi-Fi? In this new era it’s not just the user and data that needs to be monitored and authenticated, but also device posture.
The Zero Trust Difference
This is where Zero Trust comes in. But it has evolved from the "implicit trust" above into what's considered "explicit trust." It combines the notion of least privilege with contextual access to create a more agile security model fit-for-purpose for the cloud and mobile era. It’s about never trusting and always verifying. Once tested and approved, the network is segmented and what users can access is minimized to only what they need to do their jobs. This reduces the attack surface and the potential blast radius of attacks if threat actors do get in — all without impacting productivity.
Here’s the problem: while many organizations focus on the user and the application they’re trying to reach, they often forget the endpoint. That could be a critical omission in a world where vulnerability exploitation is on the rise. In fact, a record number of bugs were published on NIST’s National Vulnerability Database (NVD) last year, the fifth year in a row an all-time record has been set. Hundreds now exist on CISA’s “must patch” list: the Known Exploited Vulnerabilities Catalog. A misconfigured or unpatched endpoint could be as useful an attack vector as a stolen credential with the potential to bring the whole Zero Trust model crashing down.
Speed, Precision and Continuous Visibility
So what do organizations need to create effective Zero Trust policies? From an access perspective, it means focusing on:
- Multi-factor authentication (MFA) to validate the user
- An understanding of the applications they need to access
- Endpoint management and security to ensure the device is secure
From the lens of an endpoint security vendor, organizations need capabilities including:
- Continuous checks for compliance with security policies at speed and scale across all enterprise endpoints
- Visibility into configuration and vulnerability management status
- Frequently refreshed risk scores based on the above
- The ability to dig deeper if policies are broken
- A vendor that integrates with third-party providers via open APIs
- The speed to authenticate devices in the blink of an eye while other checks are being made, minimizing user friction
The Road Ahead
Zero Trust is no longer a “nice to have”. With the federal government now obliged to follow this path, there is a growing consensus that this should be the direction of travel for all organizations. This makes sense, especially in the context of increasingly sophisticated supply chain attacks like the SolarWinds and Kaseya campaigns that rely on exploiting trusted applications. Zero Trust makes these attacks harder for the bad guys and enables security staff to flag sooner when something is wrong.
Like security, Zero Trust is a journey rather than a destination. In time, we may begin to see a larger role for applications themselves in deciding whether to trust a particular browser or user. For now, organizations should focus on getting the basics right. That means remembering the outsized role that endpoint checks have in the Zero Trust process.
Gloss