The Challenges Of Moving To Zero Trust

A recent survey from the UK Government has highlighted business concerns over cyber security once again, with 39% of UK businesses identifying a cyber attack in the last year alone. Of those UK businesses who identified an attack, one in five (21%) identified a more sophisticated attack than phishing alone.

Despite its lower prevalence than other attack types, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.

The threat landscape means that many enterprises and SMEs are increasingly looking to adopt a Zero Trust approach - spurred by various international Government mandates. However, many enterprises have legacy technology running across their networks, often critical for business operations, and it is vital that any Zero Trust strategy consider how this will either be fully incorporated, or risks mitigated.
 
The Zero Trust Legacy Challenge
 
A common challenge while adopting Zero Trust is the existing enterprise legacy systems.  Legacy environments are highly likely to have originated with either very little security at all, or security that relied on a perimeter approach - neither of which is ideal territory for any organisation in 2022. All systems require regular maintenance in the form of software patches to close out newly identified vulnerabilities. It is a common expectation however that OS and application vendors will themselves reduce the frequency of, or entirely stop availability of patches for systems that they themselves no longer support. This can leave them more susceptible and open to attack. Furthermore, many cyber security vendors do not sufficiently support legacy operating systems, making it more challenging to incorporate them into the Zero Trust strategy.
 
Another challenge that comes with legacy environments is that it builds a huge resistance to change, with some systems even seen to be ring-fenced and out of scope for many standard security assessment practices. Instead, we often see reliance on broad network-level controls that add little in the way of risk reduction to modern attacks. Security leaders have the crucial role of educating security teams on the importance of modern security approaches and building a culture that reflects a security-first mindset, looking beyond the traditional.
 
Internal Expertise Is A Significant Barrier
 
Indeed, a recent survey from General Dynamics Information Technology found that a key challenge in any Zero Trust implementation is a lack of internal IT staff expertise, with 48% of US federal IT and program managers mentioning it as a problem. That same survey also highlighted another core challenge - legacy infrastructure is hard to replace. More than half (58%) say the biggest challenge to implementing Zero Trust is that existing legacy infrastructures must be rebuilt or replaced. But agencies are making investments in digital transformations with 92% seeing moving to cloud-based solutions as a top priority.
 
There are methods to manage the technical challenge of implementing Zero Trust in a legacy environment, and the first requires very little financial investment. The first step is simple enough in theory, but often more complicated in practice - being to conduct a full audit and a security risk assessment based on that audit. That same UK Government cybersecurity survey found that just over half of UK businesses (54%) have acted in the past 12 months to identify cyber security risks, a figure that should continue to rise in the future. 
 
Audits, Air-gapping & Micro-segmentation
 
The result of the audit and risk assessment should be a clear picture of the wider security state of the network, although it is highly likely in a legacy environment that some elements will be too expensive or complex to replace right away. A key challenge with this in place is to protect the highest risk and most exposed data as a priority. This might be achieved via a variety of techniques, including air-gapping, creating a physical or virtual network to isolate particularly at-risk systems, or implementing new firewall rules.

However, these techniques come with pitfalls that might cost businesses significantly. Firewalls and network level controls alone are insufficient.

They can only act on the data flows they see, typically at the perimeter or at the broader internal environment boundaries, but not between the hosts within a given boundary. They do little for protecting networks outside the office, such as the growth in home working environments spurred on by the pandemic. Here the answer for many has been to hastily roll-out more VPN capacity, often with little control for what is sent across once a user authenticates, or to which systems those individuals often find themselves able to access. This is considered with the knowledge that insider threats remain one of the largest risks for organisations.
 
An effective technique against modern day attacks is micro-segmentation. Most perimeter security solutions (IPS/IDS/Firewalls) focus predominantly on North-South traffic, to and from the Internet. Whereas around 80% of network traffic is East-West or machine-to-machine, which is largely invisible to security teams, with one analyst firm stating that on average only around 10% of internal data centre and cloud traffic is visually mapped.
 
Malware and unauthorised targeted activities already inside the network have been seen to move laterally and remain undetected for days and sometimes close to a year. Micro-segmentation is a technique that evolved from the need to secure data centres, applications, and workloads from advanced threats, where traditional approaches lack granularity or visibility of traffic flows at the network boundaries. Micro-segmentation prevents all non-explicitly authorised communications even between neighbouring hosts within the same network boundary. With workloads additionally now spread across multiple clouds, organisations need to adopt an approach that will help them manage and apply policies consistently across the full hybrid estate.
 
Zero Trust - A Journey Not A Destination

One of the most important points to recognise when moving to a Zero Trust approach is that it is a journey, not a single capability, nor deployed at a single moment in time. This is more so the case where pockets of legacy technologies are concerned. The inertia inherent in identifying, categorising and then migrating away from legacy software and hardware should not be underestimated - it will take time. Indeed, even analyst firm Forrester has estimated that many enterprises' Zero Trust journeys can take up to three years.

Building a strategy around this approach with partners that can demonstrate their understanding of this reality, whilst reaching key early milestone wins is key to longer-term success.

Legacy represents one of the biggest risks, and largest challenges to overcome. It is also one that the use of micro-segmentation as part of your Zero Trust journey represents an opportunity to mitigate, whilst you pick your battles as you phase it out for good.

Kevin Ware-Lane is Regional Manager UK&I at ColorTokens

You Might Also Read: 

Legacy Technology is Undermining How Business Responds To Ransomware:

 

« A Multi-layered Approach To Data Resilience
Are Compromised Passwords Putting Your Company At Risk? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Thales

Thales

Thales provides solutions, services and products that help its customers in the defence, aeronautics, space, transportation and digital identity and security markets to fulfil their critical missions.

LogonBox Software

LogonBox Software

LogonBox Software specialises in producing a cost-effective range of Network Security and Identity Management software solutions for all sizes of Enterprise.

TCN

TCN

TCN is an advanced System Integrator and Infrastructure Company in Albania.

Travelers

Travelers

Travelers is a leading writer of US commercial property casualty insurance and one of the world’s largest global insurers for cyber insurance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Ksmartech

Ksmartech

Ksmartech provide services related to security and authentication in all areas where the connection of people to objects, and objects and objects is necessary.

Naoris

Naoris

Naoris is the world’s first holistic blockchain-based cybersecurity ecosystem, bringing a game-changing solution to address 35 years of industry similar practice.

Blockchain Reactor

Blockchain Reactor

Blockchain Reactor is a blockchain consultancy and implementation company providing cutting-edge blockchain solutions for start-ups and enterprises.

Tehtris

Tehtris

TEHTRIS XDR Platform was developed to control and improve the IT security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities.

Certihash

Certihash

Certihash have developed the world’s first blockchain empowered suite of information security tools based on the NIST cybersecurity framework.

Gatefy

Gatefy

Getfy is a cybersecurity company specialized in artificial intelligence and machine learning. We work to solve challenging issues, especially those involving email security.

Mayer Brown

Mayer Brown

Mayer Brown is a global law firm. We have deep experience in high-stakes litigation and complex transactions across industry sectors including the global financial services industry.

Bitdefender

Bitdefender

Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide.

Bastion Networks

Bastion Networks

Bastion are a security-focussed managed solution provider and consultancy. We work with advanced cyber security vendors to produce managed security solutions to protect from online threats.

Awareness Software Limited (ASL)

Awareness Software Limited (ASL)

As Hosting Specialists, Awareness Software offer practical and affordable hosting solutions including backup and disaster recovery and a range of cybersecurity services.

Novem CS

Novem CS

Novem CS are bespoke cyber security specialists providing a highly effective and specialised approach to solving your cyber security challenges.