Businesses who want to reliably prevent the exfiltration of sensitive data and improve their ability to defend against modern cyberthreats can consider a Zero Trust architecture. Zero Trust, introduced by analyst firm Forrester Research, is an alternative architecture for IT security.
Conventional security models operate on the outdated assumption that everything on the inside of an organization’s network can be trusted, but given increased attack sophistication and insider threats, new security measures need to be taken to stop them from spreading once inside. Because traditional security models design to protect the perimeter, threats that get inside the network are left invisible, uninspected and free to morph and move wherever they choose to successfully extract sensitive, valuable business data.
Zero Trust, rooted in the principle of “never trust, always verify,” is designed to address lateral threat movement within the network by leveraging micro-segmentation and granular perimeters enforcement, based on user, data and location. Lateral movement defines different techniques that attackers use to move through a network in search of valuable assets and data. With traditional perimeter-based security, businesses can define sub-perimeters within their organization networks using a specific set of rules for each using context around user, application traffic direction, etc. These sub-perimeters are designed to identify the spread of an attack within an organization and stop the unrestricted lateral movement throughout the network. Remember, the point of infiltration of an attack is often not the target location, and thus the reason stopping lateral movement is so important. For example, if an attacker infiltrates an endpoint, they may still need to move laterally throughout the environment to reach the data center where the targeted content resides, or if credential phishing is successfully used, those credentials should be authenticated against the database to reach the location of the data an attacker is seeking to extract.
How you define movement or access is based on who the user is and the defined appropriate interaction. For example, in most organizations users in marketing would be allowed to access databases with marketing content, customer content, and Salesforce, but would not have access to financial files or data; users in finance can have access to financial-related databases, but not HR information; and so on. It’s critical to identify who the users are, which applications they are trying to reach, and if the action is considered an appropriate session. If these junctions, or inspection points, are not in place, you cannot identify the traffic to stop the movement.
Use Zero Trust to gain visibility and context for all traffic – across user, device, location and application – plus zoning capabilities for visibility into internal traffic. To gain traffic visibility and context, it needs to go through a next-generation firewall with decryption capabilities. The next-generation firewall enables micro-segmentation of perimeters, and acts as border control within your organization. While it’s necessary to secure the external perimeter border, it’s even more crucial to gain the visibility to verify traffic as it crosses between the different functions within the network. Adding two factor authentication and other verification methods will increase your ability to verify users correctly. Leverage a Zero Trust approach to identify your business processes, users, data, data flows, and associated risks, and set policy rules that can be updated automatically, based on associated risks, with every iteration.
To learn more about Zero Trust in the data center, view the “How to Enable Zero Trust Security for your Data Center” webinar, or read the whitepaper, “Getting Started with a Zero Trust Approach to Network Security”. “Five Steps to a Zero Trust Network”, a whitepaper from Forrester Research, is also available to help with implementation across the enterprise for businesses ready to take the next step.
You can also view the following pages on the Palo Alto Networks website for additional information: