The internet is replete with flaws, the most significant of which today concern cybersecurity. The underlying infrastructure, based upon TCP/IP, was never designed with security in mind and never anticipated the cyberthreats we face today. Of course, rebuilding the internet from scratch does not seem to be a viable option. 🙂 The massive amount of network infrastructure in place, especially with existing government, defense, health care, manufacturing, and finance networks, cannot be replaced in any imaginable scenario. Add to this the new wave of internet of things (IoT) devices, which also cannot be easily replaced.
To address these early flaws, most networks today have been surrounded by a virtual wall. The idea behind this network perimeter wall was that we could identify attackers and keep them out of our networks. Nothing could be further from the truth today. This notion of wall or perimeter defense worked reasonably well 10 to 15 years ago but no longer seems to be effective. Attacker tactics, tools, and procedures have outrun the capabilities of most perimeter defense and continue to take advantage of the weaknesses of TCP/IP and its associated equipment and applications.
Unfortunately, as we have seen, it only takes one successful penetration of an endpoint or network device to compromise and break the entire network. That is because the current practices for enterprise infrastructures assume that once you are inside of a network, you are trusted. This granting of “trust” is a major flaw in thinking with genesis back when the Arpanet, the predecessor of the public internet, first came to life in 1969.
The best new strategy to add resiliency to the internet is to move our use of this existing trusted infrastructure design to a posture of Zero Trust. The Zero Trust model was first proposed by Forrester Research in 2009. Zero Trust turns this legacy perimeter defense model upside down. The basic assumption added to the network is that every user is to be considered untrusted and hostile. Zero Trust brings changes to both policy and architecture by assuming that threats exist all the time, both inside the network and externally, and we must operate accordingly. Every user and device on the network must be authenticated and authorized. Policies should limit the user to access to the minimal subset of network resources they need to do their job – no more. No more wide-open view of the internal network and data sources. No more easy access to data resources – everything should be hardened, encrypted, and locked up tight.
This change to Zero Trust can be made by enterprise and government at a pace that matches their needs for stronger security. Each enterprise can implement the additional technologies, policies, and encryption at their own pace. Zero Trust is relatively easy to implement, as there is minimal impact to the existing base of devices and TCP/IP infrastructure already in place. Zero Trust can build upon the existing TCP/IP infrastructure.
Cloud access security brokers (CASB) bring several Zero Trust technologies, such as end-to-end “edge” encryption for cloud deployment. CASB provides enhanced visibility, threat and data protection, and powerful controls for implementation of compliance. CASB can wrap all of your cloud deployments, both vendor SaaS clouds and your own custom developed cloud applications, in a powerful cocoon of protection. CASB cannot solve the problems inherent within every network, but by overlaying the applications with the resiliency of a CASB infrastructure, we can add the increased capability required to meet (and defeat) the new wave of cyberthreats and risks. To find out more about Zero Trust, request a CASB+ trial today.