The Challenges Of Moving To Zero Trust

A recent survey from the UK Government has highlighted business concerns over cyber security once again, with 39% of UK businesses identifying a cyber attack in the last year alone. Of those UK businesses who identified an attack, one in five (21%) identified a more sophisticated attack than phishing alone.

Despite its lower prevalence than other attack types, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.

The threat landscape means that many enterprises and SMEs are increasingly looking to adopt a Zero Trust approach - spurred by various international Government mandates. However, many enterprises have legacy technology running across their networks, often critical for business operations, and it is vital that any Zero Trust strategy consider how this will either be fully incorporated, or risks mitigated.
 
The Zero Trust Legacy Challenge
 
A common challenge while adopting Zero Trust is the existing enterprise legacy systems.  Legacy environments are highly likely to have originated with either very little security at all, or security that relied on a perimeter approach - neither of which is ideal territory for any organisation in 2022. All systems require regular maintenance in the form of software patches to close out newly identified vulnerabilities. It is a common expectation however that OS and application vendors will themselves reduce the frequency of, or entirely stop availability of patches for systems that they themselves no longer support. This can leave them more susceptible and open to attack. Furthermore, many cyber security vendors do not sufficiently support legacy operating systems, making it more challenging to incorporate them into the Zero Trust strategy.
 
Another challenge that comes with legacy environments is that it builds a huge resistance to change, with some systems even seen to be ring-fenced and out of scope for many standard security assessment practices. Instead, we often see reliance on broad network-level controls that add little in the way of risk reduction to modern attacks. Security leaders have the crucial role of educating security teams on the importance of modern security approaches and building a culture that reflects a security-first mindset, looking beyond the traditional.
 
Internal Expertise Is A Significant Barrier
 
Indeed, a recent survey from General Dynamics Information Technology found that a key challenge in any Zero Trust implementation is a lack of internal IT staff expertise, with 48% of US federal IT and program managers mentioning it as a problem. That same survey also highlighted another core challenge - legacy infrastructure is hard to replace. More than half (58%) say the biggest challenge to implementing Zero Trust is that existing legacy infrastructures must be rebuilt or replaced. But agencies are making investments in digital transformations with 92% seeing moving to cloud-based solutions as a top priority.
 
There are methods to manage the technical challenge of implementing Zero Trust in a legacy environment, and the first requires very little financial investment. The first step is simple enough in theory, but often more complicated in practice - being to conduct a full audit and a security risk assessment based on that audit. That same UK Government cybersecurity survey found that just over half of UK businesses (54%) have acted in the past 12 months to identify cyber security risks, a figure that should continue to rise in the future. 
 
Audits, Air-gapping & Micro-segmentation
 
The result of the audit and risk assessment should be a clear picture of the wider security state of the network, although it is highly likely in a legacy environment that some elements will be too expensive or complex to replace right away. A key challenge with this in place is to protect the highest risk and most exposed data as a priority. This might be achieved via a variety of techniques, including air-gapping, creating a physical or virtual network to isolate particularly at-risk systems, or implementing new firewall rules.

However, these techniques come with pitfalls that might cost businesses significantly. Firewalls and network level controls alone are insufficient.

They can only act on the data flows they see, typically at the perimeter or at the broader internal environment boundaries, but not between the hosts within a given boundary. They do little for protecting networks outside the office, such as the growth in home working environments spurred on by the pandemic. Here the answer for many has been to hastily roll-out more VPN capacity, often with little control for what is sent across once a user authenticates, or to which systems those individuals often find themselves able to access. This is considered with the knowledge that insider threats remain one of the largest risks for organisations.
 
An effective technique against modern day attacks is micro-segmentation. Most perimeter security solutions (IPS/IDS/Firewalls) focus predominantly on North-South traffic, to and from the Internet. Whereas around 80% of network traffic is East-West or machine-to-machine, which is largely invisible to security teams, with one analyst firm stating that on average only around 10% of internal data centre and cloud traffic is visually mapped.
 
Malware and unauthorised targeted activities already inside the network have been seen to move laterally and remain undetected for days and sometimes close to a year. Micro-segmentation is a technique that evolved from the need to secure data centres, applications, and workloads from advanced threats, where traditional approaches lack granularity or visibility of traffic flows at the network boundaries. Micro-segmentation prevents all non-explicitly authorised communications even between neighbouring hosts within the same network boundary. With workloads additionally now spread across multiple clouds, organisations need to adopt an approach that will help them manage and apply policies consistently across the full hybrid estate.
 
Zero Trust - A Journey Not A Destination

One of the most important points to recognise when moving to a Zero Trust approach is that it is a journey, not a single capability, nor deployed at a single moment in time. This is more so the case where pockets of legacy technologies are concerned. The inertia inherent in identifying, categorising and then migrating away from legacy software and hardware should not be underestimated - it will take time. Indeed, even analyst firm Forrester has estimated that many enterprises' Zero Trust journeys can take up to three years.

Building a strategy around this approach with partners that can demonstrate their understanding of this reality, whilst reaching key early milestone wins is key to longer-term success.

Legacy represents one of the biggest risks, and largest challenges to overcome. It is also one that the use of micro-segmentation as part of your Zero Trust journey represents an opportunity to mitigate, whilst you pick your battles as you phase it out for good.

Kevin Ware-Lane is Regional Manager UK&I at ColorTokens

You Might Also Read: 

Legacy Technology is Undermining How Business Responds To Ransomware:

 

« A Multi-layered Approach To Data Resilience
Are Compromised Passwords Putting Your Company At Risk? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Synology

Synology

Synology provides high-performance, reliable, and secure Network Attached Storage (NAS) products.

AVR International

AVR International

AVR educate, advise, analyse and provide professional, technical consultancy and support to ensure your business is safe, compliant and protected.

AdNovum Informatik

AdNovum Informatik

AdNovum Informatik provides a full set of IT services, ranging from consulting, the conception and implementation of customized business and security solutions to maintenance and support.

Repository of Industrial Security Incidents (RISI)

Repository of Industrial Security Incidents (RISI)

RISI is a database of cyber security incidents that have (or could have) affected process control, industrial automation or SCADA systems.

Sikur

Sikur

Sikur have developed a communication platform that sets new boundaries for corporate privacy and security.

CYSEC Academy

CYSEC Academy

CYSEC Academy offer cyber certifications, cyber assurance and cyber defense training, hands-on learning training modules, public, private and bespoke training courses.

Intrepid Solutions and Services

Intrepid Solutions and Services

Intrepid Solutions and Services provides technology solutions and professional services to key components of the intelligence and national security communities.

IMQ Group

IMQ Group

IMQ is one of Europe’s top players in the field of conformity assessment. We offer certification services to support all the major sectors of the manufacturing and service industries.

Cybaverse

Cybaverse

Cybaverse (formerly North Star Cyber Security) was founded to create the perfect blend of a Managed Security Service Provider (MSSP) and a Cyber Security Consultancy in one.

Xceptional

Xceptional

Xceptional is a multi-award-winning technology services firm that celebrates the unique strengths of people with autism.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

Vali Cyber

Vali Cyber

Vali Cyber was founded in 2020 with the mission of addressing the specific cybersecurity needs of Linux.

Chainguard

Chainguard

Founded by the industry's leading experts on open source software, security and cloud native development, Chainguard are on a mission to make the software supply chain secure by default.

Port443

Port443

Port443 specialises in providing Security Orchestration, Automation and Remediation (SOAR) "as a service".

Infisign

Infisign

Infisign addresses the challenges of traditional IAM systems and offers a comprehensive solution for modern identity management.

Xact IT Solutions

Xact IT Solutions

Xact IT Solutions are a certified cybersecurity firm offering cybersecurity, compliance and managed services.