Managing the Zero Trust Edge

Author
John Cavanaugh
Vice President, Chief Technology Officer

The Zero Trust Edge (ZTE) model is a concept described by David Holmes and Andre Kindness from Forrester in their paper “Introducing The Zero Trust Edge Model For Security And Network Services” published by Forrester in January 2021.

This paper builds on Forrester’s earlier work defining a Zero Trust Architecture. While this is the latest and most secure concept in the industry today, it faces an uphill battle in many enterprises because their organizational structures limit their ability to execute on new and innovative strategies.

So, what is ZTE?

All enterprises are subject to regulatory and privacy oversight.  However, there are specific industries such as utilities who are subject to U.S. Executive Orders regarding critical infrastructure. One only needs to go as far as the recent headlines regarding Colonial Pipeline to see the impact of poor security and the value a Zero Trust approach would have made.

The Zero Trust security model merges networking and security for a holistic approach that assumes assets, users and resources need protection from each other – not just from the outside.  It is set of cybersecurity paradigms that move defenses from static, network-based perimeters to a focus on protecting data.

Forrester sees this concept embodied for implementation as the Zero Trust Edge  and defines it as:

A Zero Trust Edge solution securely connects and transports traffic, using Zero Trust access principles, in and out of remote sites leveraging mostly cloud-based security and networking services.

This basically means that Zero Trust is a data-centric approach to security.  This involves identifying the data assets that need protection and creating a data classification policy.  With this information a least privileged access methodology can be created.

So, at a technical level we need a single source of user identity (with MFA), device authentication, authorization policies for access to an application and access controls within that application.  Moreover, we need to develop context.  This is about having insights into device health, policy compliance, location, and both user and device behavior.

What are the Issues?

The ZTE paper itself starts with the bold claim that CxO’s need to:

Merge Security and Networking, or Sunset Your Business

Why is merging Networking and Security hard? Information Technology teams in many large enterprises are siloed between network, security, server, desktop, mobile and user teams. Levels of skills, outsourcing and division of labor among these teams also varies from organization to organization.

ZTE requires these silos to operate as a system to achieve the desired security outcome.  Without appropriate organizational flow and/or orchestration this will not be easy.

Managed Security Service Provider 3.0 (MSSP 3.0):

Current IT and security organizations are broken into functional silo’s (example):

  • Networking teams cover firewall and other externally facing systems
  • IT security teams are often restricted to policy and IR
  • User and support services teams cover IPAM, directory services and desktop support
  • Data center teams which handle hosting and server administration
  • Application development – which often handles initial cloud and SaaS deployments

This creates an interorganizational issue, where engineers, technicians, administrators, and management must work together, but many enterprises struggle to orchestrate this workflow appropriately.

A new breed of Managed Security Service Providers – MSSP 3.0 – is emerging to help executives with the transformation needed.  This involves outsourcing the execution of corporate policy to an integrated team.  An MSSP 3.0 vendor can provide an integrated offering that crosses the IT organizational boundaries that enterprises struggle to unravel.

What constitutes a 3.0 MSSP?  It needs to provide an integrated offering that at minimum covers the network (Campus and DC), cloud and security teams.  It must also be tightly integrated to the helpdesk, user and support services teams. This means integrated ticketing systems and the use of advanced APIs to create a holistic response.

By contrast consider the example of a large enterprise we have worked with that experienced an attack by concerted and well-organized adversary:

The attackers used a holistic technological approach that involved DDoS, phishing, social networking and TDoS (telephony denial of service).

Their approach was to probe the organization to discover their PCI policies (at what level were transactions approved when vendors could not use network or telephony services for transaction verification/approval).  Once they had established this data point – they locked up the online systems with DDoS and call center security phones with TDoS and went after them with fraud attacks that cost the client millions.

The client did not have any defenses against such a coordinated attack strategy.  In the post-mortem analysis it was discovered the attacker was a criminal service contracted by the team executing the fraud.  Classic organizational structures are not capable of dealing with this kind of industrial scale criminal enterprise.

A MSSP 3.0 organization would look at the whole picture and bring together all the operational services needed for a response.  Any such organization would have created a coordinated response, but it would also have a seat on the client’s IT governance board to ensure the technological systems needed stayed current.

Potential Value to a Business:

Enterprises have in many cases codified IT organizational structures based on older technological paradigms.  Once established such bureaucracies tend to be self-sustaining and in some larger organizations management incentive pay is based on items such as the size of the organization.  This limits the flexibility these organizations have and, in some cases, will even make them highly resistant to change.

The result is that enterprises struggle to respond to the challenges that a Zero Trust Architecture and Edge strategy address.  This makes them highly vulnerable to ransomware and fraud.

Apart from IT and security firms themselves, enterprises do not exist to build large IT and cybersecurity teams.  At this level of industry disruption, it may be time to reconsider the concept of outsourcing.

Moving to outsource the operational management and execution of security policy to this new generation of MSSPs permits the enterprise to concentrate on governance and policy.  No security strategy in today’s world is 100% foolproof, but this can ensure enterprises are following best practices and can make adversaries look for less capable targets.

NetCraftsmen consultants have a long history in networking and cybersecurity.  We can work with your teams to identify and mitigate the risks your firm faces and assist with the transition of services.  This involves everything from individual component services your firm needs all the way through to a complete security as a service approach.