Traditional network security takes a ‘perimeter approach’, where a network is secured at the boundary against all outside threats. This is often called a ‘castle-and-moat’ approach, as the network perimeter is secured in much the same way as a moat protects a castle. At the perimeter, users are verified and allowed access to the network, and threats are blocked.
The risks of castle-and-moat security
However, this approach is overly simplistic in today’s more collaborative and cloud-centric work culture, as it rests on the assumption that everything inside the network is safe. But what happens if a threat originates inside the network itself? What if someone already inside the castle is in a position to cause harm? And what if an attacker finds another way in, one that doesn’t involve crossing the perimeter?
Insider network threats may be the result of malicious intent, such as disgruntled employees (or former employees) with access to sensitive resources. However, they may also stem from simple carelessness: for instance, a distracted employee could mistakenly click on a dubious web link, thereby opening an access point for hackers. In some cases, a single “bad click” allows hackers to ultimately infiltrate the entire network by moving laterally through it. In fact, a recent investigation by Verizon found that roughly 1/3 of security incidents involve an internal actor.
Advanced Persistent Threats
Advanced persistent threats (APTs) are attacks where an unauthorized party infiltrates a network and remains undetected for a long period of time – during which they have ongoing access to valuable data. This type of attack highlights the need to tighten up security controls to ensure that users need to obtain authorization each time they attempt to access resources, rather than granting users perpetual access after performing a single successful authentication.
Distributed data and multiple access points
In today’s network ecosystem, data isn’t neatly stored in one place – it’s often spread across multiple devices with access to many networks, as well as numerous cloud storage locations. Workforce trends such as ‘BYOD’ (Bring Your Own Device) present additional challenges that make traditional perimeter security even harder to achieve.
The “Zero Trust” Security Framework
In contrast to the ‘perimeter approach’, a zero-trust approach to network security doesn’t make do with a single main perimeter encircling the outside of the network. Instead, a zero-trust network is segmented into numerous small microsegments, each with a carefully guarded micro-perimeter. Every microsegment contains a carefully defined set of resources. No-one is given access to any microsegment without first going through a strict verification process, and that process only permits access to those specific resources for the duration that they are required. Access to another microsegment requires a separate verification process. With these measures in place, even insider threats can be mitigated.
Multi-factor authentication (MFA) is one tool commonly used to implement zero trust security at the microperimeter level. It allows access to specific resources or applications through a secure multi-step verification process. For example, in addition to entering a password, users may be required to enter a code sent via SMS.
Remote Browser Isolation (RBI) is another essential tool for airgapping a zero-trust security framework against web-based threats. By trusting no website, link or attachment to be safe, RBI effectively takes a zero-trust approach to web browsing. When using RBI, all active browser code is treated as suspicious, and run outside of the organizational network in a disposable, virtual container. A seamless, interactive multimedia stream is provided to the user, allowing them to securely access whatever web-based resources they need to do their jobs while isolating them from any potential threats.
Click here for more thought leadership from Ericom on patching the browser-sized hole in most zero-trust security implementations