Building Untrusted Networks to Improve Security
EARL DUBY, CISO and Vice President, LEAR Corporation (NYSE: LEA)
EARL DUBY, CISO and Vice President, LEAR Corporation (NYSE: LEA)
In another interesting parallel between defending physical buildings and digital castles, the RAND report stated the following: “The prevention decisions within the control of building owners and managers center on ‘hardening the target,’ which can accomplish (1) deterrence and (2) detection and denial.”
This same approach rings true for digital defenders as well. One of the best ways to defend the digital assets of a company is to adopt the Zero Trust framework of controls. Given the recent attacks on corporations and governmental agencies alike, whether through SolarWinds or any other advanced attack, it is imperative that access to data be further locked down, protected, and monitored.
We must complete the progression from open trust to full verification. As Forrester Research’s John Kindervag pointed out in 2009, the guiding principal of Zero Trust is a mindset of “never trust, always verify.” Anyone who has experience with Red Teaming a corporate network knows full well that there is still a lot of implicit trust that can be exploited.
A Zero Trust control framework provides digital defenders the same value as a complimentary mindset does for the protection of physical structures. Restricting and monitoring access provides better visibility into who and what is attempting to access business assets. Building rules and contextual decision-making into the controls makes it harder for attackers to exploit and bypass the controls that are in place. With the correct implementation, these additional controls can lead to a better experience for legitimate users of the assets (think of an access management portal that provides a single, secure way to access multiple applications).
The key components of establishing a less trusting network, and building in better verification, detection, and remediation, are tied to enhanced controls at the data and user level. Instead of assuming that anyone on your corporate network is supposed to be there, it is necessary to establish the identity of that person (or device) at the outset, then track that identity through the entire interaction. Systematic decisions of trust must then be made with every request for additional resources.
Just as building managers had to improve their access controls 20 years ago to better defend against an evolving and asymmetric threat, network managers today need to adopt new and increasingly untrusting strategies to protect digital assets from a rapidly evolving, well-funded, and increasingly destructive set of adversaries.
When It Comes to Protecting Corporate Digital Assets, it’s High Time That the Owners and Managers of Corporate Networks Take the Same Approach and Sense of Urgency as Their Physical-Security Counterparts
