Data breaches have become incessant. Recently, a very popular airline sevices company revealed a suspected breach involving customer credit card information. Even more recently, a hospital in Indiana reported that a virus had infected some of its systems that caused the hospital to be placed on diversion. A disaster recovery software company also admitted that a breach of its marketing databases occurred. If that isn't enough, an online electronics retailer company and ticket sales and distribution company have been in the news for similar reasons, and I am sure it's just a matter of time for another breach to hit a major company.
It is clear that the cyber threat landscape is changing. For one, malware today has become very sophisticated and is able to propagate itself at network speeds without involving humans. Also, attackers are improving their evasion techniques. They have figured out ways to evade sandboxes and other security tools used to protect digital assets. Additional firewalls and advanced intrusion-prevention systems may reduce the number of attacks, but some of the sophisticated attackers eventually will find a way in. We must recognize that the current approach to protecting digital assets is no longer tenable. First, traditional security models make assumptions that are detrimental. They assume that every user and device within an established perimeter can be trusted. Also, they don't provide the needed visibility into internal traffic, are not strong enough to protect against threats like ransomware, and are not flexible in securing mobile devices.
With companies increasingly adopting cloud models (via SaaS or IaaS) for application workflows, does it make sense to stick to a traditional security model where a perimeter is established at the network layer? Do we continue to assume we can create safe areas in our network? Where does the network start and end? Should we continue to assume that employees and their devices can be trusted?
An alternate security model, aptly termed zero trust, advocates an identity and application-centric approach to security. We need to assume (or accept) that the network is filled with attackers and compromised devices. Knowing that, we can't continue to build our networks based on the classic moat and castle model. Rather, we should focus our efforts on building perimeters around only the applications. Zero trust posits that users are untrusted and should be assigned the least amount of privilege when accessing applications.
There are examples of this approach in today's world. The cash vault is ultra-secured at a bank and isn't accessed by all employees in the bank. Access is based on a combination of factors (retina scans, code inputs, etc). At airports today, no one without a boarding pass or airport badge is allowed near a plane, and there are checks in place to ensure only authorized individuals are allowed on-board. The reason is obvious. The planes need protection. Gone are the days when it was assumed that once you are inside the airport, you were assumed to have genuine motives for being there. Also, in some buildings today, you may have noticed a difference in how the elevator systems are implemented. After getting checked in by human on the ground floor, you are given a badge that allows you to pass through a checkpoint before getting access to the elevator system. The ground floor is the only place you select the floor you wish to go and once you are in the elevator, the only floor you can access is the ground floor. Full time employees may be able to get into their offices but need additional permissions for their badges to access certain areas inside the office.
In adopting an application-centric approach, any safe zones contain only applications. You create individual micro-segments around only the applications, which ensures certain mission-critical applications are isolated from all others and hinders attackers lateral movement across them. You also reduce cost of compliance initiatives by focusing them on relevant applications. You can implement more focused policies around each application without interference from the others and when implemented with an Identity-aware proxy, You get visibility into what applications are being accessed by users and are also able to implement service insertion and improve application performance.