The Challenges Of Moving To Zero Trust

A recent survey from the UK Government has highlighted business concerns over cyber security once again, with 39% of UK businesses identifying a cyber attack in the last year alone. Of those UK businesses who identified an attack, one in five (21%) identified a more sophisticated attack than phishing alone.

Despite its lower prevalence than other attack types, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.

The threat landscape means that many enterprises and SMEs are increasingly looking to adopt a Zero Trust approach - spurred by various international Government mandates. However, many enterprises have legacy technology running across their networks, often critical for business operations, and it is vital that any Zero Trust strategy consider how this will either be fully incorporated, or risks mitigated.
 
The Zero Trust Legacy Challenge
 
A common challenge while adopting Zero Trust is the existing enterprise legacy systems.  Legacy environments are highly likely to have originated with either very little security at all, or security that relied on a perimeter approach - neither of which is ideal territory for any organisation in 2022. All systems require regular maintenance in the form of software patches to close out newly identified vulnerabilities. It is a common expectation however that OS and application vendors will themselves reduce the frequency of, or entirely stop availability of patches for systems that they themselves no longer support. This can leave them more susceptible and open to attack. Furthermore, many cyber security vendors do not sufficiently support legacy operating systems, making it more challenging to incorporate them into the Zero Trust strategy.
 
Another challenge that comes with legacy environments is that it builds a huge resistance to change, with some systems even seen to be ring-fenced and out of scope for many standard security assessment practices. Instead, we often see reliance on broad network-level controls that add little in the way of risk reduction to modern attacks. Security leaders have the crucial role of educating security teams on the importance of modern security approaches and building a culture that reflects a security-first mindset, looking beyond the traditional.
 
Internal Expertise Is A Significant Barrier
 
Indeed, a recent survey from General Dynamics Information Technology found that a key challenge in any Zero Trust implementation is a lack of internal IT staff expertise, with 48% of US federal IT and program managers mentioning it as a problem. That same survey also highlighted another core challenge - legacy infrastructure is hard to replace. More than half (58%) say the biggest challenge to implementing Zero Trust is that existing legacy infrastructures must be rebuilt or replaced. But agencies are making investments in digital transformations with 92% seeing moving to cloud-based solutions as a top priority.
 
There are methods to manage the technical challenge of implementing Zero Trust in a legacy environment, and the first requires very little financial investment. The first step is simple enough in theory, but often more complicated in practice - being to conduct a full audit and a security risk assessment based on that audit. That same UK Government cybersecurity survey found that just over half of UK businesses (54%) have acted in the past 12 months to identify cyber security risks, a figure that should continue to rise in the future. 
 
Audits, Air-gapping & Micro-segmentation
 
The result of the audit and risk assessment should be a clear picture of the wider security state of the network, although it is highly likely in a legacy environment that some elements will be too expensive or complex to replace right away. A key challenge with this in place is to protect the highest risk and most exposed data as a priority. This might be achieved via a variety of techniques, including air-gapping, creating a physical or virtual network to isolate particularly at-risk systems, or implementing new firewall rules.

However, these techniques come with pitfalls that might cost businesses significantly. Firewalls and network level controls alone are insufficient.

They can only act on the data flows they see, typically at the perimeter or at the broader internal environment boundaries, but not between the hosts within a given boundary. They do little for protecting networks outside the office, such as the growth in home working environments spurred on by the pandemic. Here the answer for many has been to hastily roll-out more VPN capacity, often with little control for what is sent across once a user authenticates, or to which systems those individuals often find themselves able to access. This is considered with the knowledge that insider threats remain one of the largest risks for organisations.
 
An effective technique against modern day attacks is micro-segmentation. Most perimeter security solutions (IPS/IDS/Firewalls) focus predominantly on North-South traffic, to and from the Internet. Whereas around 80% of network traffic is East-West or machine-to-machine, which is largely invisible to security teams, with one analyst firm stating that on average only around 10% of internal data centre and cloud traffic is visually mapped.
 
Malware and unauthorised targeted activities already inside the network have been seen to move laterally and remain undetected for days and sometimes close to a year. Micro-segmentation is a technique that evolved from the need to secure data centres, applications, and workloads from advanced threats, where traditional approaches lack granularity or visibility of traffic flows at the network boundaries. Micro-segmentation prevents all non-explicitly authorised communications even between neighbouring hosts within the same network boundary. With workloads additionally now spread across multiple clouds, organisations need to adopt an approach that will help them manage and apply policies consistently across the full hybrid estate.
 
Zero Trust - A Journey Not A Destination

One of the most important points to recognise when moving to a Zero Trust approach is that it is a journey, not a single capability, nor deployed at a single moment in time. This is more so the case where pockets of legacy technologies are concerned. The inertia inherent in identifying, categorising and then migrating away from legacy software and hardware should not be underestimated - it will take time. Indeed, even analyst firm Forrester has estimated that many enterprises' Zero Trust journeys can take up to three years.

Building a strategy around this approach with partners that can demonstrate their understanding of this reality, whilst reaching key early milestone wins is key to longer-term success.

Legacy represents one of the biggest risks, and largest challenges to overcome. It is also one that the use of micro-segmentation as part of your Zero Trust journey represents an opportunity to mitigate, whilst you pick your battles as you phase it out for good.

Kevin Ware-Lane is Regional Manager UK&I at ColorTokens

You Might Also Read: 

Legacy Technology is Undermining How Business Responds To Ransomware:

 

« A Multi-layered Approach To Data Resilience
Are Compromised Passwords Putting Your Company At Risk? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

SABSACourses

SABSACourses

SABSA is a development process used for solving complex problems such as IT Operations, Risk Management, Compliance & Audit functions.

Center for a New American Security (CNAS)

Center for a New American Security (CNAS)

CNAS is the nation's leading research institution focused on defense and national security policy. Cyber security issues are an intrinsic element of the national security debate.

CLUSIL

CLUSIL

CLUSIL is an association for the information security industry in Luxembourg.

CANVAS Consortium

CANVAS Consortium

The CANVAS Consortium aims to unify technology developers with legal and ethical scholar and social scientists to approach the challenges of cybersecurity.

X-act Forensics

X-act Forensics

X-act forensics are computer forensic experts with experience in cases of computer fraud, intellectual property theft, and social networking cases.

IDnext

IDnext

IDnext is the open and independent platform to support innovative approaches in the world of the Digital identity.

National Cyber Summit (NCS)

National Cyber Summit (NCS)

The National Cyber Summit is the preeminent event for cyber training, education and workforce development aimed at protecting our nation's infrastructure from the ever-evolving cyber threat.

ECOS Technology

ECOS Technology

ECOS Technology specializes in the development and sale of IT solutions for high-security remote access as well as the management of certificates and smart cards.

ExpressVPN

ExpressVPN

ExpressVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

US Cyber Range

US Cyber Range

US Cyber Range is a scalable, cloud-hosted infrastructure providing students with virtual environments for realistic, hands-on cybersecurity labs and exercises.

Risk Strategies

Risk Strategies

Risk Strategies is a leading specialty risk management consultancy and insurance broker offering smarter, practical approaches to risk mitigation including Cyber Liability insurance.

North East Business Resilience Centre (NEBRC)

North East Business Resilience Centre (NEBRC)

The North East Business Resilience Centre is a non-profit organisation here to support businesses in the North East of England in protecting themselves from cyber crimes and fraud.

Cyber1

Cyber1

CYBER1 is a leader in cyber security advisory and solutions. We are uniquely placed to help customers achieve cyber resilience and thus, safeguard reputation and value.

CyAmast

CyAmast

CyAmast is an IoT Network security and analytics company that is changing the way enterprise and governments detect and protect networks from the pervasive threat of cyber attacks.

SOC-E

SOC-E

SOC-E is a leading technology provider for high-availability and deterministic networking, sub-microsecond synchronization and cybersecurity solutions for critical sectors.

Command Zero

Command Zero

Command Zero is the industry’s first autonomous and AI-assisted cyber investigations platform, built to transform security operations in complex enterprise environments.