Posted on January 13, 2021
Want to interview Gerry?Contact
Cybersecurity Ventures – publisher of Cybercrime Magazine and a leading source of cybersecurity facts and figures – estimates that cybercrime will cost the world economy over $6 TRILLION in 2021. That’s “trillion” with a “t,” not billion. A truly astonishing amount of money, equal to nearly a third of the US GDP. On a more “micro” level, consulting firm Accenture’s ninth annual survey on the cost of cybercrime found that cybercrime cost enterprise-scale companies an average of $13 million per company in 2018; and for some individual companies, the cost was much, much higher.
Old ways of securing corporate data are clearly inadequate. Traditional security uses a “castle with a moat” philosophy – very strong perimeter defenses, but once a user is let into the castle, they have relatively easy – if not entirely free — access to wherever they want to go. That model can be disastrous, since once a hacker manages to breach the defenses, they are like the proverbial kids in the candy store, able to access all the “goodies.” And the risk is not limited to hackers: A “castle with a moat” approach offers no protection at all against “trusted insiders.”
The corporate world has rapidly been adopting a “Zero Trust” approach to network security, one in which every packet on the network is viewed with suspicion. Since microsegmentation (segregating network assets down to a very fine level) is a key enabling technology for Zero Trust, we’ll take a detailed look at the role microsegmentation plays in Zero Trust security.
Let’s start with some background on Zero Trust.
Zero Trust security is NOT any specific technology, tool, or piece of software. Zero Trust is a philosophy to network security. In contrast to the old approach under which a user was trusted once they were granted access to the network, the Zero Trust approach is, “never trust, always verify.” And that extends beyond just verifying a user. It’s also “never trust” when an authenticated user wants to access a given resource – “always verify” applies to each user-resource combination, with a user granted access only if the request meets required criteria.
When it comes to browsing the web, Zero Trust rejects the idea of “whitelisted” websites: All websites must be viewed with suspicion as potential sources of malware.
For more information on Zero Trust and the evolution of the concept, see our article, “Ten Years of Zero Trust – From Least Privilege Access to Microsegmentation and Beyond.”
Many different technologies and security policies can contribute to a Zero Trust defense. These are a few of the most common:
Network segmentation is not a new concept – it’s an evolution of an idea that’s been around for a long time. In the past, network segmentation was hardware defined, and took the approach of providing stronger and better (and more expensive) security for the network segments hosting critical applications and the most sensitive data, and utilizing looser controls for less sensitive applications and data.
Perimeter defenses are concerned with what network administrators call “north-south” traffic, traffic coming into the network from the outside. While new security approaches certainly require stronger authentication for north-south traffic than previous solutions, microsegmentation is more frequently applied to reducing the attack surface by controlling “east-west” traffic – that is, lateral movement within the network.
Microsegmentation is generally identity-based and software defined, and thus enables much greater granularity than is possible with a traditional hardware-based approach.
The principle of “least privilege access” is the heart of microsegmentation. With least privilege access, each individual user is granted access to only the specific apps and data that that user needs in order to accomplish the tasks required for their job. That way, the damage that can be done by an unscrupulous (or easily duped) insider, a compromised device, or by a hacker who breaks in using stolen credentials is limited to the apps and data to which that particular user was permitted to access.
There are many different ways to implement least privilege access. The most common scheme – albeit on that is not truly least privilege — is “Role Based Access Control” (RBAC). With RBAC, security policies defining the applications and data a user can access are determined by the user’s role within the organization. For instance, engineers will typically have access to very different resources than HR personnel – but every engineer at the same grade level or with the same title will have access to the same resources, regardless of whether or not every one of them needs all those resources.
Because even RBAC grants excessive access permissions, the ideal is to define access permissions not by a role, but by what each particular individual needs to do their job.
With microsegmentation, access can be controlled down to the individual user, application, and workload level.
There are many additional ways microsegmentation can further limit access to enhance security. In addition to restricting access to resources based on who the user is, security controls can be context sensitive, restricted by criteria including user location, endpoint device, or time of day.
Most enterprises operate in a complex IT environment. The coronavirus pandemic has sharply accelerated a previously slow-building trend toward working from home. The steady migration toward cloud computing was also sped up as a result of widespread office closures, resulting in most companies now operating in a hybrid cloud or multi-cloud environment. During this period of digital transformation, it’s crucial microsegmentation implementations cover all of an organization’s users – wherever they are, in the office, at home, or away – and all of the organization’s resources, whether hosted in a data center or in the cloud.
RBAC is the most common way to implement least-privilege access, primarily because determining each users’ precise access requirements is an onerous task, especially in large-scale corporate environments, But there is no question that implementing least-privilege access at the individual user level is way more secure. ZTEdge Remote Application Access uses a machine-learning based approach to enable organizations with many tens of thousands of users to create policies at the individual user level automatically, providing the greatest level of security without adding excessive administrative burden. It bars users from accessing apps and data they aren’t authorized to use, and prevents them from even seeing which other apps and data are present on the network.
In many ways, microsegmentation is more about “damage control” than about preventing all attacks. With microsegmentation, attack surfaces are reduced to a minimum, and unauthorized lateral movement within the data center or to other resources is prevented.
Even enterprises that are extremely security conscious and carefully follow cybersecurity best practices may find themselves the victims of cybercrime. With microsegmentation the damage an attacker can do with stolen credentials or some other form of unauthorized access is minimized.
Software-defined microsegmentation can secure IT resources regardless of whether they are on an internal network, or in a hybrid cloud or multi-cloud environment.
As the world grows to be increasingly dependent on the billions of interconnected devices that are at the heart of modern civilization, and which control the infrastructure upon which modern life depends, cybersecurity has become more critical than ever. With the cost of cybercrime reaching trillions of dollars per year, old cybersecurity paradigms based on strong perimeter defenses around a company’s network have clearly been proven inadequate to the security challenges of the 21st century, especially as more companies switch to a hybrid cloud or multi-cloud approach.
It’s essential to adopt a “Zero Trust” approach to network security, and microsegmentation is a key component in implementing Zero Trust security. Microsegmentation may not be able to prevent all cyberattacks, but it can vastly limit the damage from any attacks that initially succeed. To learn more about how microsegmenting access can protect your business from cyberattack, download our free white paper, “Time to Upgrade to Zero Trust Network Access.”
The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.
Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.
Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.