When considering an organization’s security, the image that comes to mind is that of a fortified castle: thick walls surrounded by deep moats and sentries at the door to control entry. However, this image no longer corresponds to the reality of most companies.
Today, employees access the company’s network from remote locations, often using their own devices. Moreover, IT resources are not only used by humans, but also by application programming interfaces (API). In addition, cloud computing, frequently used in hybrid mode in conjunction with servers located on company premises, blurs the line between the company's own resources and those it rents from external sources.
“In this type of environment, it’s no longer appropriate to exercise strict control at the entrance of a secure perimeter, and then allow those who have entered to move freely within that perimeter,” Roger Ouellet, Senior Solutions Designer and Security Practice Leader at NOVIPRO, observed. “On the contrary, monitoring on all users as well as each of their actions must continue permanently within the perimeter. By default, we cannot trust anything or anyone.” This precautionary principle has inspired the “Zero Trust” model formalized by Forrester Research.
How Zero Trust can restore trust
Sidel, a leading provider of equipment and solutions for packaging liquids, food, and personal care products, is one of the companies who has adopted the Zero Trust model. Nearly 40,000 Sidel machines have been installed in over 190 countries. Based in Laval, Benoit Duhamel is a Senior IT Security Manager in Sidel’s Data Security Department.
“We already use the Zero Trust approach in information technology, and have been gradually introducing it into our operational technologies,” he explained. “Today, the machines we build contain a lot of software, and are more and more often networked. As a result, it’s essential that we ensure they won’t be hijacked by an unauthorized program that might infiltrate these networks.”
This security requirement has led Sidel to conduct vulnerability assessments on all of their machines before they are delivered. The company also tests its equipment for hacking attempts.
A security ecosystem in six dimensions
Using the Zero Trust model, an organization’s digital security can be considered along six dimensions. A variety of technologies enable companies to enhance security in each of these dimensions.
Data is one of the most valuable assets in any organization. For example, Sidel jealously guards its intellectual property; it wants to prevent plans for its future machines from falling into the hands of its competitors or of malicious individuals wishing to harm client users of these machines. Data encryption and local identification of users, at the moment they attempt to access each application, are two of the technologies that support a Zero Trust approach.
All devices – computers and smart phones, but also sensors and controllers – must be identified and analyzed as they attempt to access the network. A network access control (NAC) system identifies users, authenticates each device, and validates whether its configuration meets the network’s security standards. Next, advanced anti-virus software analyzes the device’s behaviour to detect suspicious activity. In each phone – whether owned by the company or the employee – a mobile device management (MDM) system isolates professional and confidential content so that, if required, it can be remotely wiped by the company without deleting any of the device’s other functions.
As company networks become increasingly interconnected, traditional segmentation has given way to a user-by-user, application-by-application microsegmentation process. “With every new request for access to a server or application, we grant the user only the access needed to complete authorized tasks,” Roger Ouellet explained. “When a delivery person rings my doorbell, I only unlock the door leading to a closed vestibule. I don’t open the back door or the garage door!”
Workload refers to the quantity of calculations and interactions a server must handle to execute a finite series of operations. The Zero Trust model considers each new workload as a potential risk, which must be analyzed before it is authorized. “In cloud computing, workloads can vary tremendously,” Ouellet noted. “A good security device should be able to detect the risk posed by each set of requests for an application.” That said, many companies overestimate the degree of security provided by cloud computing, according to Benoit Duhamel. “Ultimately, a company can’t rely solely on its cloud vendors’ security measures; it must take responsibility for the security of its own data.”
Many tools enable user identification and identity checks, by simultaneously using multiple identifying factors, for example. For occasional users of the network, an automated concierge service can assess and approve each request for connection, or obtain approval from an authorized employee.
6- Visibility, analytics, orchestration and automation
A security information and event management (SIEM) system provides full visibility, at all times, on the threats circulating through the company’s networks. It automatically filters the most dangerous threats, examines them and if needed, addresses them. Other systems orchestrate the preventive and remediation actions of various equipment and applications, and automate their provisioning and updates.
As hackers and computer spies finetune their techniques, the technology to prevent and block these attacks continues to be developed - to the point where today, companies can rely on highly sophisticated security tools. Since evaluating, implementing and operating these tools in a fully-coordinated manner is a complex task, some companies are choosing to complement their internal resources by outsourcing a portion of this work to a managed security service provider.
Read the first article in our "Security, a corporate challenge" series: Why a business continuity strategy is a must