The Challenges Of Moving To Zero Trust

Uploaded on 2022-11-01 in TECHNOLOGY--Resilience, FREE TO VIEW

A recent survey from the UK Government has highlighted business concerns over cyber security once again, with 39% of UK businesses identifying a cyber attack in the last year alone. Of those UK businesses who identified an attack, one in five (21%) identified a more sophisticated attack than phishing alone.

Despite its lower prevalence than other attack types, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.

The threat landscape means that many enterprises and SMEs are increasingly looking to adopt a Zero Trust approach - spurred by various international Government mandates. However, many enterprises have legacy technology running across their networks, often critical for business operations, and it is vital that any Zero Trust strategy consider how this will either be fully incorporated, or risks mitigated.
 
The Zero Trust Legacy Challenge
 
A common challenge while adopting Zero Trust is the existing enterprise legacy systems.  Legacy environments are highly likely to have originated with either very little security at all, or security that relied on a perimeter approach - neither of which is ideal territory for any organisation in 2022. All systems require regular maintenance in the form of software patches to close out newly identified vulnerabilities. It is a common expectation however that OS and application vendors will themselves reduce the frequency of, or entirely stop availability of patches for systems that they themselves no longer support. This can leave them more susceptible and open to attack. Furthermore, many cyber security vendors do not sufficiently support legacy operating systems, making it more challenging to incorporate them into the Zero Trust strategy.
 
Another challenge that comes with legacy environments is that it builds a huge resistance to change, with some systems even seen to be ring-fenced and out of scope for many standard security assessment practices. Instead, we often see reliance on broad network-level controls that add little in the way of risk reduction to modern attacks. Security leaders have the crucial role of educating security teams on the importance of modern security approaches and building a culture that reflects a security-first mindset, looking beyond the traditional.
 
Internal Expertise Is A Significant Barrier
 
Indeed, a recent survey from General Dynamics Information Technology found that a key challenge in any Zero Trust implementation is a lack of internal IT staff expertise, with 48% of US federal IT and program managers mentioning it as a problem. That same survey also highlighted another core challenge - legacy infrastructure is hard to replace. More than half (58%) say the biggest challenge to implementing Zero Trust is that existing legacy infrastructures must be rebuilt or replaced. But agencies are making investments in digital transformations with 92% seeing moving to cloud-based solutions as a top priority.
 
There are methods to manage the technical challenge of implementing Zero Trust in a legacy environment, and the first requires very little financial investment. The first step is simple enough in theory, but often more complicated in practice - being to conduct a full audit and a security risk assessment based on that audit. That same UK Government cybersecurity survey found that just over half of UK businesses (54%) have acted in the past 12 months to identify cyber security risks, a figure that should continue to rise in the future. 
 
Audits, Air-gapping & Micro-segmentation
 
The result of the audit and risk assessment should be a clear picture of the wider security state of the network, although it is highly likely in a legacy environment that some elements will be too expensive or complex to replace right away. A key challenge with this in place is to protect the highest risk and most exposed data as a priority. This might be achieved via a variety of techniques, including air-gapping, creating a physical or virtual network to isolate particularly at-risk systems, or implementing new firewall rules.

However, these techniques come with pitfalls that might cost businesses significantly. Firewalls and network level controls alone are insufficient.

They can only act on the data flows they see, typically at the perimeter or at the broader internal environment boundaries, but not between the hosts within a given boundary. They do little for protecting networks outside the office, such as the growth in home working environments spurred on by the pandemic. Here the answer for many has been to hastily roll-out more VPN capacity, often with little control for what is sent across once a user authenticates, or to which systems those individuals often find themselves able to access. This is considered with the knowledge that insider threats remain one of the largest risks for organisations.
 
An effective technique against modern day attacks is micro-segmentation. Most perimeter security solutions (IPS/IDS/Firewalls) focus predominantly on North-South traffic, to and from the Internet. Whereas around 80% of network traffic is East-West or machine-to-machine, which is largely invisible to security teams, with one analyst firm stating that on average only around 10% of internal data centre and cloud traffic is visually mapped.
 
Malware and unauthorised targeted activities already inside the network have been seen to move laterally and remain undetected for days and sometimes close to a year. Micro-segmentation is a technique that evolved from the need to secure data centres, applications, and workloads from advanced threats, where traditional approaches lack granularity or visibility of traffic flows at the network boundaries. Micro-segmentation prevents all non-explicitly authorised communications even between neighbouring hosts within the same network boundary. With workloads additionally now spread across multiple clouds, organisations need to adopt an approach that will help them manage and apply policies consistently across the full hybrid estate.
 
Zero Trust - A Journey Not A Destination

One of the most important points to recognise when moving to a Zero Trust approach is that it is a journey, not a single capability, nor deployed at a single moment in time. This is more so the case where pockets of legacy technologies are concerned. The inertia inherent in identifying, categorising and then migrating away from legacy software and hardware should not be underestimated - it will take time. Indeed, even analyst firm Forrester has estimated that many enterprises' Zero Trust journeys can take up to three years.

Building a strategy around this approach with partners that can demonstrate their understanding of this reality, whilst reaching key early milestone wins is key to longer-term success.

Legacy represents one of the biggest risks, and largest challenges to overcome. It is also one that the use of micro-segmentation as part of your Zero Trust journey represents an opportunity to mitigate, whilst you pick your battles as you phase it out for good.

Kevin Ware-Lane is Regional Manager UK&I at ColorTokens

You Might Also Read: 

Legacy Technology is Undermining How Business Responds To Ransomware:

 

« A Multi-layered Approach To Data Resilience
Are Compromised Passwords Putting Your Company At Risk? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

AtkinsRéalis

AtkinsRéalis

AtkinsRealis is a market-leading design, engineering and project management consultancy operating in fields ranging from infrastructure, through energy and transport to cybersecurity.

CloudEndure

CloudEndure

CloudEndure offers Disaster Recovery and Continuous Replication for the Cloud.

BruCERT

BruCERT

BruCERT is the referral agency for dealing with computer-related and internet-related security incidents in Brunei Darussalam.

IT Security Association Germany (TeleTrusT)

IT Security Association Germany (TeleTrusT)

TeleTrusT is an IT Security association and network for IT security comprising members from industry, administration, consultancy and research.

Cyjax

Cyjax

Cyjax monitors the Internet to identify the digital risks to your organisation, including cyber threats, reputational risks and the Darknet.

Cloud Managed Networks

Cloud Managed Networks

Cloud Managed Networks provides enterprise grade IT network solutions for cloud-based and on premise network security, Wi-Fi, data switching, collaboration, device management and more.

DataTribe

DataTribe

DataTribe is a cyber startup foundry, leveraging deep experience and expertise to build and launch successful product companies.

Startupbootcamp Fintech & Cybersecurity

Startupbootcamp Fintech & Cybersecurity

Startupbootcamp is the world’s largest network of multi-corporate backed accelerators helping startups scale internationally.

ActiveNav

ActiveNav

ActiveNav provide dark data discovery solutions for compliance and information governance.

TransUnion

TransUnion

TransUnion is a global information and insights company that makes it possible for businesses and consumers to transact with confidence.

IMQ Group

IMQ Group

IMQ is one of Europe’s top players in the field of conformity assessment. We offer certification services to support all the major sectors of the manufacturing and service industries.

Solvere One

Solvere One

Solvere One is a managed service provider (MSP) focused on corporate consulting and partnership.

Blacksands

Blacksands

Blacksands is a leader in network architecture, identity & services management, threat analysis, industrial IoT architecture, and invisible dynamic networks.

Framework Security

Framework Security

With Framework Security, you get more than a consultancy; you get a partner dedicated to simplifying cybersecurity and protecting your business in the most efficient way possible.

Academia the Technology Group

Academia the Technology Group

Academia specialise in the supply of software, IT hardware, training and service solutions to the public sectors, business and pro media markets.

Soteria Cybersecurity

Soteria Cybersecurity

Soteria is your trusted Cybersecurity Partner in IT and OT.