Zero trust in hybrid environments
- By Mike Riemer
- Nov 02, 2020
As more government organizations operate hybrid environments with data centers both on-prem and in the cloud, the network perimeter has become much more complex. The National Institute of Standards and Technology, therefore, recently issued newly enhanced and reorganized guidance recommending that all organizations deploy a zero-trust architecture, stipulating there should be no trust without verification.
In today’s uncertain world where the majority of workers are remote, government requires zero-trust solutions that can allow transformation while also defending assets for any user, from any device, anywhere, to any application, at any time.
Zero trust implies no trust without verification – and that verification cannot be based solely on where workers are located or what machines they are using. There must be more data that can inform InfoSec teams if a user’s behavior is normal or risky. Even if an organization comprises hundreds of users, some of whom work remotely and others within the “four walls” of an organization, machine learning is essential to ascertain what behaviors are considered low risk and what actions might well be flagged.
A zero-trust security infrastructure with machine learning can maintain better oversight of today’s complicated network perimeter. Machine learning can provide insights into user conduct that will ultimately help the InfoSec team note any deviations and identify risky behavior that may be a sign of a breach. Today’s zero-trust solutions should also utilize Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) framework as well as software defined perimeter (SDP) technologies.
Gartner’s CARTA framework allows organizations to assign a risk score to their users. Risk scores can rise and fall for many reasons. For instance, if an HR employee suddenly gets access to sensitive financial records, the risk score would rise -- allowing the security pros to flag any issues in real time. CARTA augments context- and identity-centric policies with built-in user and entity behavior analytics, whereby attributes for every session are monitored and assessed. By applying proprietary risk-scoring algorithms to identify noncompliant, malicious and anomalous activity, an organization can expedite threat mitigation.
SDPs are an extension to zero trust that removes the implicit trust from the entire network perimeter. Many pros believe SDPs are critical to achieving a truly seamless zero-trust model where everyone and everything is verified before being allowed into a network perimeter. Today, many zero-trust solutions use the Cloud Security Alliance’s SDP architecture alongside traditional VPNs to help provide extensive identity and device authentication, separate control and data planes and centralized granular policy management to thwart unauthorized access and propagation of attacks.
While government InfoSec pros believe that zero trust is an important cybersecurity strategy, many still have a long way to go in implementing the model. This is especially true when it comes to smaller agencies, as many pros fear the price tag to deploy zero trust will be too high.
Currently zero-trust solutions can easily be deployed and operated as a service. Despite budget or infrastructure restrictions, it is possible to have a cloud-based, multi-tenant secure access service that provides users easy, anywhere access to multicloud and data center applications with zero trust assurance. Because many of these solutions are subscription-based, pay-as-you-go models, the cost is considerably lower, allowing any organization, no matter its size and complexity, to take advantage of a zero-trust architecture.
Today, government organizations require solutions that can help improve the flexibility, agility and scalability of application access, enabling digital services to thrive. Agencies should look to zero trust software-as-a-service solutions that can handle the complexities of hybrid environments and account for several internal networks, remote offices and security roles of workers.
Mike Riemer is field CTO with Pulse Secure.