Five Critical Ways To Prepare For A Better Security Environment In 2022
Given the continuing enterprise security landscape changes since early 2020, such as massively increased remote workforces and the ongoing push towards cloud-based services and infrastructure, many enterprise executives are rethinking and rearchitecting their enterprises to meet these challenges.
Remote work is now generally accepted as a permanent fixture, therefore, 2022 will require very different cybersecurity defenses to match the nature of new threats and what needs to be protected. That said, many enterprises are asking themselves how to move to the next level of security and how do they prepare their environments for so many major changes? A major part of the answer for many organizations is Zero Trust.
Implementing Zero Trust is no simple task. The best way to start preparing is to decide what capabilities you want/need to add, what capabilities you need to merely enhance and how to make sure that this data is accessible to everyone with privileges as effortlessly and securely as is practical.
Here are five things to consider as preparatory steps in this journey.
Embracing Zero Trust is quite popular today, but Zero Trust is closer to a philosophy, or a mindset, more than anything else. Different enterprises will implement a Zero Trust approach differently, given their particular threat landscapes, the nature of their business, geographies, verticals, where they expect to be in 18 months, compliance obligations, customers and dozens of other variables.
But all enterprise Zero Trust deployments will have very strong authentication as the centerpiece security control. Strong authentication goes very far beyond past security advice such as long passwords, but should be an ongoing process involving behavioral analytics, biometrics, location, more secure MFA and ultimately evolving into a password-less and PIN-less world entirely. It means watching all users all-the-time throughout all sessions, so hello continuous authentication and ultimately Machine Learning to figure out when a new behavior is likely malicious.
Once that enterprise CISOs figure out the best high-level Zero Trust definition for their enterprise, senior management, LOB management and IT must be on-board, along with a group commitment to implementation. Ideally, all participants must internalize the implications of this new security reality. Zero Trust will change the way systems are budgeted, designed and deployed, and all levels of the business must coordinate to achieve the desired results.
Zero Trust is truly a fundamental component with regards to secure by design—key to reducing risk in the area of authentication and access control. Eventually, it will likely reduce the complexity of manual security operations, automating much in the area of authentication and access control, and far better security. And that in turn will make compliance easier, especially if the same approach to Zero Trust is executed consistently across the global enterprise environment.
Realistically, though, let’s not minimize that Zero Trust is going to require big changes in how applications and systems are scoped, architected, built, operated and maintained. This includes on-premises, legacy apps and homegrown apps (including those inherited from myriad acquisitions over the life of the enterprise). For some enterprises, it delivers a nice bonus in the form of reduced licensing fees, as redundant apps are discovered and eliminated.
Zero Trust will also likely force new strategies for how data is handled by mobile devices, IoT and IIoT, as well as data exchanged with partners and customers globally.
Consider some good news. There are almost certainly some Zero Trust capabilities already baked into the security and IT infrastructure of most enterprises. The trick is identifying these existing Zero Trust required security capabilities and determining if that accounted for and added to your planned Zero Trust deployment.
Zero Trust doesn’t typically require a complete change of security controls, given that you may already have some of the key elements in place. For example, many modern cloud environments, such as Microsoft Azure, were built with Zero Trust in mind. But it will almost certainly need a rebalancing of security controls. Identity/IAM, for instance, typically takes on a vastly larger importance with a Zero Trust approach. Tasks/responsibilities may have to be rebalanced between Security and IT.
Although a gap assessment is common in these situations, a better approach might be to conduct a reverse gap assessment, meaning that the CISO’s team will identify all existing Zero Trust functionalities.
Enterprises have for decades been shifting more to the cloud every year, a pattern that sharply accelerated with the onset of COVID around March 2020. For many companies, a serious move to Zero Trust could accelerate that shift even more.
Fact: cloud environments are almost always very different than an enterprise’s on-premises environment, which means the wholesale movement of apps from the traditional data center to a cloud environment– without a review to see if it can or should be rearchitected to be more “cloud native”–can delay or stymie Zero Trust implementation. Taking data center server images and simply moving them to the cloud, sometimes called “lift-and-shift,” misses an opportunity to take advantage of the inherent security controls integrated into the major cloud platforms. This is particularly problematic for legacy apps and homegrown apps, as they were never designed to exist in a different environment.
If possible, take the time to review systems and determine if they can be reconfigured to take advantage of cloud-native security architecture and security controls. That’s why Zero Trust may require a redesign of the authentication mechanism for existing applications. By simply moving traditional servers to the cloud seeking cost savings, you may be losing out on an opportunity to redesign, reevaluate and perhaps rearchitect for a Zero Trust environment.
This is a key area and it’s an excellent example of how existing security control design needs to be explored in a Zero Trust environment. Individual point solutions that operate independent of one another are usually no longer sufficient. Authentication controls and processes, for example, need to take advantage of device information, anti-malware information, and so on. Authentication may be allowed only in conjunction with this data, and correspondingly may be revoked or limited based on data from these security controls after authentication has originally been granted.
When the new goal is to allow secure and effortless–we should emphasize effortless, as in a lack of friction–should flow of all data through all devices, data assets and between all users, partners, consultants, and customers. In short, the strategy needs to protect, track, analyze, store, and watch every dataflow from and to anyone or anything with access privileges.
The ability for all security tools to communicate with each other becomes essential, as opposed to today when it’s often considered a nice-to-have. Identity and Access Management (IdAM) may need to communicate with SASE, etc. The interconnectivity of tools now needs to become a top-level buying criteria.
If you don’t want security tools lacking recognition and awareness of other tools, communication between them all has to be a priority. If you don’t want a rash of false negatives and false positives as a result of this lack of communication, this needs to be a factor.
There are plenty of vendors that are more than willing to sell all manner of products with the implicit or (sometimes) explicit promise that these purchases will automagically deliver a Zero Trust environment. Sadly, as we all know, it’s simply not that easy.
Buying tools as an initial action without a review of existing controls, infrastructure, needs, and a coherent plan is almost guaranteed to fail, and usually results in shelf-ware and lost time. Focus and understand fully how Identity and Access Management is currently used, understand how it is used in a Zero Trust environment and use that as a starting point.
Start by understanding what you already have and move to leverage those resources. Finally, figure out what you don’t have, and what is truly needed. Evaluate various cloud vendors and figure out what they have. Conduct a reverse gap assessment and figure out what’s still missing. Then, and only then, are you ready to talk with those vendors.
Embracing a true Zero Trust approach is going to deliver a much more secure and efficient enterprise landscape. But it won’t happen until the proper preparations are made. The benefits that lie ahead are more than worth the effort.
The information in this article is provided as a convenience, without warranties of any kind and MUFG Union Bank, N.A. disclaims all warranties, express or implied, with respect to the information. You are solely responsible for securing your systems, networks, and data. You should engage qualified experts to advise on your specific needs and requirements.