What’s the right amount of trust to build into your network? Less than Zero

Paid Feature “The trust of the innocent is the liar's most useful tool,” Stephen King wrote. At least that’s what the internet claims.

But “proving” the provenance of this quote is surprisingly difficult. That’s the problem with trust. It’s slippery, and when it’s misplaced, the consequences can be catastrophic. As we can see with cybersecurity, time and time again.

The pandemic has highlighted what were already pervasive security issues with trust, corporate networks, and the internet. Home and remote working mean the “network” no longer corresponds to a particular location. This in turn highlights the existing shortcomings of VPNs, (the traditional secure way for remote workers to access the corporate network).

The entire model of a VPN is predicated on delivering access to a location whether that location, or network, is on-premises or in the cloud, says Andrew Sinclair, head of product at UK managed services and cloud provider iomart. And this is the problem with traditional credential-based authentication.

“People have been able to connect to a business by using just a username and password. And then once they're delivered into the network, it's assumed that they're trusted.”

But once in, the user, or the criminal who has hijacked their device or identity, has free rein to do whatever they want on that network, Sinclair explains. “They could scan the whole network, once connected, to uncover anything of interest or can even attempt to access other systems.”

This ability for interlopers to indulge in “lateral movement” is the “number one reason why businesses experience devastating ransomware attacks,” says Sinclair.

This is no abstract challenge. IDC reports that more than a third of businesses have been hit by a ransomware attack, or breach that blocked systems or data, over the last 12 months. “It's by far the biggest conversation piece we're having with customers, certainly for the past 24 months,” says Sinclair.

So, where do customers turn?

There’s no doubt that customers are being offered what Sinclair describes as “loads of really expensive third party vendor network security.” These will promise not just security but, for example, AI-powered, self-learning security.

But these solutions are expensive. And if they are supplied as an appliance, companies face the issue of not just managing security, but managing the device itself. They could also face the prospect of duplicating that expense and effort at each key location.

But there are even more fundamental challenges with this approach, says Sinclair. “The problem with these tools is that the focus is policing the business network, under the assumption that the business network is a safe place to be.”

An insecure world without borders

But in reality, businesses may operate across hybrid cloud and multi-cloud, with multiple geographies and multiple clients, without the reassurance that security controls will be consistent. “How can businesses make sure that their data is constantly secure with TLS over a sprawling network?” asks Sinclair. “It's an incredible challenge.”

And it doesn’t stop there. Because very few users, and their data, exist in a secure enclosed network. Rather, he argues, “The reality is, your data travels, from AWS, to Azure, to data centres around the globe.”

So, “if you're trying to move the internal network back to being in a position of trust, then you’ve already lost.”

Instead, all networks should be considered untrusted and this is the basis of Zero Trust, or the concept of a software defined perimeter. “The first tenet is that the network is always assumed to be hostile,” he says.

Once you accept that, it’s an easy step to embrace the second tenet. “You should assume that external and internal threats always exist within your network at all times.”

From there, the third principle is that “the locality of the network is not sufficient for deciding if a user or a device who's connected to that network is trusted or untrusted.”

It’s easy to see how these principles map to other modern network concepts, particularly SD-WAN, which abstracts the network and access to different parts of it, away from the physical infrastructure.

So, what does this mean in practice, for example in the Managed Software Defined Perimeter (SDP) service that iomart provides its customers?

Security, laterally

The starting point for all this with iomart’s service is the installation of an agent on the user's Windows, Mac or Linux device.

Then, iomart’s security team “engages with the business and initially does a discovery and tries to identify where all the key points of data are across the business, whether it's Microsoft Azure, Amazon or on-premises at the data centre. And then our team designs the architecture and installs the software needed for your users to connect to their applications wherever those users might be. And that’s how the SDP service connects to anywhere.”

And then our team designs the architecture and installs the software needed for your users to connect to their applications wherever those users might be

When it comes to a given user’s device, says Sinclair, “we can ensure it’s been through the enrolment process, and it's an acceptable device. That delivers some extra context.”

“We can show that the device is healthy, that it's fully patched, the anti-malware agent is running, it's updated. “Where the device is logging in from can be another piece of context. After two years logging in from your front room, a sudden log-in from Venezuela should really ring alarm bells.

Beyond that authentication, there’s ensuring the device and user are restricted when they’re “in” the network, to just whatever services or data they need to do their job.

“Trusted users are no longer dropped into the network. They're connected directly to the application that they've requested. So, with a single service, the challenges with lateral movement are overcome.”

Whenever there's a security challenge, or a problem that alerts the SDP system, iomart’s SDP also writes out to its XDR service, which in turn goes into the company’s security team. The offending device is disconnected from the network, while iomart’s security team will run through a playbook that is customised for each customer.

The triage process is followed by “lessons learned, figuring out how the malware got in, was it zero day malware or something similar.”

It’s important to remember that in addition to the SDP agent, says Sinclair, “you still require some type of anti-malware deep security. We would recommend that whatever agent that you put into is usually some type of XDR agent which, in the event of something going wrong, will report back to a SIEM (security information & event management) system.”

Taken together, this gives admin teams “a surety that there's a layer of control - that perhaps wasn't there in the past.”

This applies to people inside the office as well as outside, as the policies apply across the whole business, not a geography.

“The admin team can be assured that when someone's connecting to the network, we know who they are, we know that their device is healthy. And we know that they're only going to be connecting to the things that they should be connecting to.”

Embracing this model can be a leap for organisations that previously centred their security strategy on something very clever, and very expensive, back at base. But, Sinclair argues, “a lot of enterprises have spent a lot of money investing in a lot of expensive tools. And they're still not sure actually what value that's delivering to them.”

Securing the remote user is just as important as advanced security controls on the servers that run the apps, he says, noting that nine out of ten security incursions start at the client level.

Sinclair recommends companies use a mitigation technology that can easily articulate its value.” The cost of an SDP managed service will typically come in at just slightly more per user than the average AV service cost and that means even the smallest business can afford to greatly increase their security posture, he says.

Which brings us back to the purported Stephen King quote about trust. It turns out it is indeed from a Stephen King novel. But proving this is tricky and laborious. That’s another thing about trust. Sometimes it makes sense for someone else to do all the hard work.

Sponsored by iomart.