Cybersecurity Ventures – publisher of Cybercrime Magazine and a leading source of cybersecurity facts and figures – estimates that cybercrime will cost the world economy over $6 TRILLION in 2021. That’s “trillion” with a “t,” not billion. A truly astonishing amount of money, equal to nearly a third of the US GDP. On a more “micro” level, consulting firm Accenture’s ninth annual survey on the cost of cybercrime found that cybercrime cost enterprise-scale companies an average of $13 million per company in 2018; and for some individual companies, the cost was much, much higher.
Old ways of securing corporate data are clearly inadequate. Traditional security uses a “castle with a moat” philosophy – very strong perimeter defenses, but once a user is let into the castle, they have relatively easy – if not entirely free — access to wherever they want to go. That model can be disastrous, since once a hacker manages to breach the defenses, they are like the proverbial kids in the candy store, able to access all the “goodies.” And the risk is not limited to hackers: A “castle with a moat” approach offers no protection at all against “trusted insiders.”
The corporate world has rapidly been adopting a “Zero Trust” approach to network security, one in which every packet on the network is viewed with suspicion. Since microsegmentation (segregating network assets down to a very fine level) is a key enabling technology for Zero Trust, we’ll take a detailed look at the role microsegmentation plays in Zero Trust security.
Let’s start with some background on Zero Trust.
Introduction to Zero Trust
Zero Trust security is NOT any specific technology, tool, or piece of software. Zero Trust is a philosophy to network security. In contrast to the old approach under which a user was trusted once they were granted access to the network, the Zero Trust approach is, “never trust, always verify.” And that extends beyond just verifying a user. It’s also “never trust” when an authenticated user wants to access a given resource – “always verify” applies to each user-resource combination, with a user granted access only if the request meets required criteria.
When it comes to browsing the web, Zero Trust rejects the idea of “whitelisted” websites: All websites must be viewed with suspicion as potential sources of malware.
For more information on Zero Trust and the evolution of the concept, see our article, “Ten Years of Zero Trust – From Least Privilege Access to Microsegmentation and Beyond.”
Elements of Zero Trust
Many different technologies and security policies can contribute to a Zero Trust defense. These are a few of the most common:
- Beyond requiring user authentication, the “I” in Identity and Access Management means that a user should not be automatically trusted even once they are authenticated. Instead, it is essential to make sure that a user is indeed who they claim to be throughout the entire interaction, using live “in-session” data to provide context and re-affirm the appropriate level of trust. One of the best ways to do this is through multi-factor authentication. For a deep dive into user authentication, see this article in our series on Identity and Access Management.
- When a user is enticed into browsing to an infected website, malware designed to penetrate an endpoint browser can make its way onto the device’s operating system, and from there to an enterprise network. All it takes is a visit to the site, the user does not even need to click on anything. Organizations can guard against these types of web-based threats and credential stealing phishing attacks with Remote Browser Isolation (RBI). RBI applies a Zero Trust approach to external, browser-accessed resources such as websites. With RBI, internet access is routed through a virtual browser located in a disposable container in the cloud. Just as RBI can protect your users from malicious sites, RBI can create an air gap between the net and enterprise cloud applications, protecting the apps from malicious users or compromised devise that may attempt to penetrate enterprise systems via an app.
- Identify suspicious activity quickly with real time logging, inspection, and verification of traffic on your server. Pay special attention to critical applications.
- Implement “least privilege access” and microsegmentation. This approach grants users access only to the apps and data they need in order to do their jobs.
Network segmentation is not a new concept – it’s an evolution of an idea that’s been around for a long time. In the past, network segmentation was hardware defined, and took the approach of providing stronger and better (and more expensive) security for the network segments hosting critical applications and the most sensitive data, and utilizing looser controls for less sensitive applications and data.
Perimeter defenses are concerned with what network administrators call “north-south” traffic, traffic coming into the network from the outside. While new security approaches certainly require stronger authentication for north-south traffic than previous solutions, microsegmentation is more frequently applied to reducing the attack surface by controlling “east-west” traffic – that is, lateral movement within the network.
Microsegmentation is generally identity-based and software defined, and thus enables much greater granularity than is possible with a traditional hardware-based approach.
The principle of “least privilege access” is the heart of microsegmentation. With least privilege access, each individual user is granted access to only the specific apps and data that that user needs in order to accomplish the tasks required for their job. That way, the damage that can be done by an unscrupulous (or easily duped) insider, a compromised device, or by a hacker who breaks in using stolen credentials is limited to the apps and data to which that particular user was permitted to access.
There are many different ways to implement least privilege access. The most common scheme – albeit on that is not truly least privilege — is “Role Based Access Control” (RBAC). With RBAC, security policies defining the applications and data a user can access are determined by the user’s role within the organization. For instance, engineers will typically have access to very different resources than HR personnel – but every engineer at the same grade level or with the same title will have access to the same resources, regardless of whether or not every one of them needs all those resources.
Because even RBAC grants excessive access permissions, the ideal is to define access permissions not by a role, but by what each particular individual needs to do their job.
With microsegmentation, access can be controlled down to the individual user, application, and workload level.
There are many additional ways microsegmentation can further limit access to enhance security. In addition to restricting access to resources based on who the user is, security controls can be context sensitive, restricted by criteria including user location, endpoint device, or time of day.
Most enterprises operate in a complex IT environment. The coronavirus pandemic has sharply accelerated a previously slow-building trend toward working from home. The steady migration toward cloud computing was also sped up as a result of widespread office closures, resulting in most companies now operating in a hybrid cloud or multi-cloud environment. During this period of digital transformation, it’s crucial microsegmentation implementations cover all of an organization’s users – wherever they are, in the office, at home, or away – and all of the organization’s resources, whether hosted in a data center or in the cloud.
RBAC is the most common way to implement least-privilege access, primarily because determining each users’ precise access requirements is an onerous task, especially in large-scale corporate environments, But there is no question that implementing least-privilege access at the individual user level is way more secure. Ericom Application Isolator (EAI) uses a machine-learning based approach to enable organizations with many tens of thousands of users to create policies at the individual user level automatically, providing the greatest level of security without adding excessive administrative burden. EAI bars users from accessing apps and data they aren’t authorized to use, and prevents them from even seeing which other apps and data are present on the network.
Benefits of Microsegmentation
In many ways, microsegmentation is more about “damage control” than about preventing all attacks. With microsegmentation, attack surfaces are reduced to a minimum, and unauthorized lateral movement within the data center or to other resources is prevented.
Even enterprises that are extremely security conscious and carefully follow cybersecurity best practices may find themselves the victims of cybercrime. With microsegmentation the damage an attacker can do with stolen credentials or some other form of unauthorized access is minimized.
Software-defined microsegmentation can secure IT resources regardless of whether they are on an internal network, or in a hybrid cloud or multi-cloud environment.
As the world grows to be increasingly dependent on the billions of interconnected devices that are at the heart of modern civilization, and which control the infrastructure upon which modern life depends, cybersecurity has become more critical than ever. With the cost of cybercrime reaching trillions of dollars per year, old cybersecurity paradigms based on strong perimeter defenses around a company’s network have clearly been proven inadequate to the security challenges of the 21st century, especially as more companies switch to a hybrid cloud or multi-cloud approach.
It’s essential to adopt a “Zero Trust” approach to network security, and microsegmentation is a key component in implementing Zero Trust security. Microsegmentation may not be able to prevent all cyberattacks, but it can vastly limit the damage from any attacks that initially succeed. To learn more about how microsegmenting access can protect your business from cyberattack, download our free white paper, “Time to Upgrade to Zero Trust Network Access.”