3 Parameters for Building a Zero-Trust Cybersecurity Strategy

For years, companies defined their cybersecurity strategies around a perimeter mindset – firewalls and other on-premise safeguards that governed who was allowed in, and who was kept out, of an organization’s network. But in a world of multi-cloud environments and widespread remote access, the perimeter just isn’t tenable anymore. Worse, clinging to a perimeter strategy out of habit opens organizations up to serious security vulnerabilities.

Scott Barlow, global VP of MSP and cloud alliances, Sophos
Author: Scott Barlow, global VP of MSP and cloud alliances, Sophos

Businesses have changed up their data management strategies, shifting more data, applications and infrastructure to the cloud. Organizations have also been reimagining how – and where – their employees work, creating more opportunities for remote work thanks to VPNs and work-from-home policies. And a shift from on-premise – in both IT infrastructure and working opportunities – to more remote locations has been further accelerated by the past year’s pandemic. As these strategies have changed, a perimeter-based approach is no longer enough to offer adequate security. Because of this, that security approach needs to change as well – from a perimeter-based one to a zero-trust model.

“Zero trust” is exactly what it sounds like: a cybersecurity framework that does not implicitly assume trust in users. It’s about limiting corporate network access to only those who need it, exactly when they need it – and no more. If a user doesn’t absolutely need network access at a given time, then they don’t get it. Certificates, security tokens and other identity validators are key to verifying a user’s identity, and then granting limited network access at a granular level to login, rather than implicitly trusting (and allowing access for) any network or user activity that seems secure.

It’s not just about how businesses reorganize their own internal IT assets. The cyber threat landscape is rapidly evolving in scale, scope and severity. New threats and attack vectors are emerging all the time, putting many organizations back on their heels to think up new ways to defend themselves. As cybercriminals continue to mature their tactics, techniques and procedures for penetrating corporate cyber defenses, businesses simply can’t trust what’s happening within their own perimeters anymore.

A drastic change is needed. Tossing out the perimeter playbook might seem like too much to more cautious CIOs, CISOs and IT team leaders. But it’s what’s necessary for today’s threat landscape. Zero trust provides a methodology for deemphasizing traditional security perimeters – and the mindset of implicitly trusting users with carte-blanche network access – in favor of an “everything must be verified” approach.

As more businesses gravitate to a zero-trust strategy, here are three guiding parameters that should define their approach.

1. Conducting risk analysis to smartly allocate security resources

Maintaining a strong perimeter precluded the need for conducting risk analysis on user access – which was both a benefit (simpler to designate users and allow access) and a liability, which we see now.  Infrequent risk analysis means greater opportunity for potentially risky threat actors to penetrate the perimeter. With so much more IT activity now coming in from the outside, a zero-trust strategy has to put risk analysis front and center. That means analyzing the risk levels of everything from individual IT infrastructure components and vendor systems to user logins, to determine where the greatest potential security vulnerabilities are, and then allocate security resources accordingly based on risk priority and need.

2. Complementing firewalls with application and data protection

A zero-trust strategy doesn’t mean dumping the perimeter altogether; firewalls still have an important role to play in securing on-premise assets. Instead, zero trust should be seen as a way of complementing your firewalls to protect applications or data that are in motion, accessed remotely, or stored in the cloud. Data protection tools and DevSecOps practices are essential elements for monitoring suspicious activity – and deflecting potential threats – while data is at rest, in motion or actively in use. The same goes for applications hosted in the cloud – security needs to be integrated into the software development process from the beginning to ensure a certain baseline level of protection.

3. Constant monitoring via human-led threat hunting and incident response

As the name would imply, zero trust leaves no room and no excuse for letting network assets and access go unmonitored. If you can’t trust all activity, then you shouldn’t let any activity go unmonitored, either. Organizations need to deploy constant, 24/7 levels of monitoring over their environments to ensure that verified users are both credible and also have narrow access into the network. Businesses can no longer afford a cybersecurity strategy that sits in a reactive position, jumping into action only after a data breach has occurred. Assume there are threats everywhere, all the time – because there are – and build your strategy accordingly.

That means continuous vigilance and monitoring. This can be achieved through a combination of data analysis software, AI and machine learning, human-led threat hunting, and incident response-ready teams at the go, which carry both the expertise and the lightning-fast response time needed to stay on top of threats or suspicious activity, and intervene when necessary.

CompTIA’s 2020 State of Cybersecurity report found that only 22% of companies are currently utilizing a zero-trust security strategy. This is just too little, given the rapid evolution in both the scale of corporate IT environments and the volume of threats they face. The SolarWinds hack offers a recent cautionary tale – had the IRS or Treasury Department been more zero-trust minded, who knows how much sooner they could’ve spotted that data breach?

When it comes to building a zero-trust strategy for defending your business, there’s no more time to waste. Sophos Rapid Response is an industry-first offering that provides the incident response capabilities need to bolster zero-trust security, providing a solution that can quickly stop active attacks, eject cyber attackers from corporate networks, and get your organization on its feet while incurring minimal costs, damage and recovery time in the process.

Scott Barlow is vice president of global MSP and cloud alliances, Sophos. Read more Sophos guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.