Building Untrusted Networks to Improve Security

EARL DUBY, CISO and Vice President, LEAR Corporation (NYSE: LEA)

EARL DUBY, CISO and Vice President, LEAR Corporation (NYSE: LEA)

In the early 2000s, owners and managers of tall buildings scrambled to improve the security of their assets, their tenants, and the millions of visitors that frequented their sites annually. In a rush to enhance the security and safety of their buildings, along with the people who occupied them, facility managers invested millions of dollars on access controls, monitoring systems, and people to ensure they were better prepared for unexpected events. On the heels of historic and unprecedented events, the Building Owners and Managers Association of Greater Los Angeles (BOMA) partnered with the RAND Corporation in 2002 to review the state of building-security in that city. The results of the study, noting a surge in additional cameras, perimeter controls and security personnel, would look familiar to today’s InfoSec professionals. In an especially foretelling passage, the 20-year-old study predicts: “Although a ‘security standard’ has not emerged, we expect stricter access controls of one type or another to be permanent additions to downtown high-rise buildings.” Prior to 2000, it was not uncommon for visitors to be able to roam from floor to floor, hallway to hallway, and business to business, unfettered once they passed through the lobby doors. After 2001, this free access was significantly curtailed by security guards, turnstiles, card-controlled doorways, which were in turn monitored by cameras, facial recognition systems. More recently, visitors are even monitored by artificial intelligence engines designed to predict disruption. When it comes to protecting corporate digital assets, it’s high time that the owners and managers of corporate networks take the same approach and sense of urgency as their physical-security counterparts.

In another interesting parallel between defending physical buildings and digital castles, the RAND report stated the following: “The prevention decisions within the control of building owners and managers center on ‘hardening the target,’ which can accomplish (1) deterrence and (2) detection and denial.” This same approach rings true for digital defenders as well. One of the best ways to defend the digital assets of a company is to adopt the Zero Trust framework of controls. Given the recent attacks on corporations and governmental agencies alike, whether through SolarWinds or any other advanced attack, it is imperative that access to data be further locked down, protected, and monitored. We must complete the progression from open trust to full verification. As Forrester Research’s John Kindervag pointed out in 2009, the guiding principal of Zero Trust is a mindset of “never trust, always verify.” Anyone who has experience with Red Teaming a corporate network knows full well that there is still a lot of implicit trust that can be exploited. A Zero Trust control framework provides digital defenders the same value as a complimentary mindset does for the protection of physical structures. Restricting and monitoring access provides better visibility into who and what is attempting to access business assets. Building rules and contextual decision-making into the controls makes it harder for attackers to exploit and bypass the controls that are in place. With the correct implementation, these additional controls can lead to a better experience for legitimate users of the assets (think of an access management portal that provides a single, secure way to access multiple applications).

When It Comes to Protecting Corporate Digital Assets, it’s High Time That the Owners and Managers of Corporate Networks Take the Same Approach and Sense of Urgency as Their Physical-Security Counterparts

The key components of establishing a less trusting network, and building in better verification, detection, and remediation, are tied to enhanced controls at the data and user level. Instead of assuming that anyone on your corporate network is supposed to be there, it is necessary to establish the identity of that person (or device) at the outset, then track that identity through the entire interaction. Systematic decisions of trust must then be made with every request for additional resources. Just as building managers had to improve their access controls 20 years ago to better defend against an evolving and asymmetric threat, network managers today need to adopt new and increasingly untrusting strategies to protect digital assets from a rapidly evolving, well-funded, and increasingly destructive set of adversaries.