Page 46 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 46

trusted zone where they can move laterally into the network. In these traditional security environments,
            the  network  perimeter  is  the  primary  mechanism  for  enforcing  access.  Its  focus  on  maximum
            interoperability means that the default posture is to connect to everything, without asking what or why
            users and systems really should be connecting to or how we should be controlling access to minimize
            risk and data breaches.

            Zero trust security and architecture is designed to address these questions, building security on a default
            foundation where no user or system should be allowed access to a resource until a certain level of trust
            has been established. In a zero trust environment, every connection and all access are explicitly defined,
            authorized,  and  constrained  with  each  connection  attempt.  When  a  service  (such  as  a  system,
            application, container, etc.) needs to connect with another service, that connection must use a valid
            authentication method, pass some level of authorization, and be constrained and/or controlled to a strict
            “need to know” basis for access. Hence, a default posture of “zero trust” until you prove to be trusted. But
            even then, it’s only for that specific instance.



            Zero Trust in the Real World

            As an approach and architectural concept, zero trust is relatively simple. But as a practical, best practice
            to architect and deploy, zero trust can be difficult. This is mostly because today’s existing, legacy security
            environments are not designed, built, and deployed around zero trust principles.

            Especially in today’s DevOps-driven cloud environments, development teams often build application and
            service environments in “full trust” mode with little-to-no access restrictions or security controls. Only after
            the application and cloud environment are built do security and DevOps teams work to implement security
            controls and access restrictions on the production environment. In essence, the environment begins in a
            vulnerable state. And, as the complexity of the cloud environment grows, the complexity of the security
            controls  and  enforcement  grows  along  with  it.  If  certain  controls  or  configurations  are  missed  or
            inaccurate,  then  the  environment  can  be  left  vulnerable.  According  to  Verizon’s  2022  Data  Breach
            Investigations Report, misconfiguration errors scored as the highest source of data breaches.

            In  contrast,  if  a  zero  trust  architecture  and  approach  were  deployed  and  enforced  by  default,  the
            environment would be inherently secure, with no user or system having access. Not only would the
            granting of access be a required and overt act, but the number of services also needing access and the
            scope of the access would be finite and on a need-to-know basis. So, once you grant a system or user
            the appropriate access — while automating the application of those rights — you’re done. And, since this
            approach is deployed and enforced automatically and by default, the inherent security of the environment
            grows more seamlessly and at the same rate as the environment itself (and its complexity).














                                                                                                              46
   41   42   43   44   45   46   47   48   49   50   51