Security Transformation in the Modern Digital Era

Security Transformation in the Modern Digital Era

The Cloud has become an enabler for digital business transformation. Cloud Computing enables business process re-engineering efficiently and effectively to drive companies forward and maintain competitive advantage. Moving mission-critical applications to the cloud has accelerated due to macro trends such as distributed (remote) work. Thus, Chief Information Security Officers (CISO’s) are challenged and chartered with building strategies and enacting a security transformation to support the business and minimize enterprise risk. 

Identity has become the cornerstone for enacting security transformation. It enables delivery of “Anytime, Anywhere, Authorized” access to enterprise cloud applications and services. Zero Trust and Software-Defined Perimeter (SDP) complement Identity for strengthening access controls and enterprise security.

The trifecta of Identity, Zero Trust, and SDP is essential to secure the extended enterprise ecosystem. A Zero Trust strategy is an absolute must for CISO’s today especially given the rash of supply chain attacks and exponential adoption of the Internet of Things (IoT) many of which lack adequate security.

Zero Trust adoption needs a culture change via a focus on data protection & enterprise risk management. John Kindervag postulated a zero-trust security framework in 2010. He postulated that cybersecurity professionals must stop trusting packets as if they were people and eliminate the notion of trusted internal networks and untrusted external networks. In zero-trust, all network traffic is untrusted!

Zero Trust transforms conventional network-based security by changing the focus of security to be centered on users, applications, and data. This set the stage for abandoning the old “castle and moat” approach of the network perimeter to leveraging Identity as the new digital perimeter.

Zero Trust requires a culture change in InfoSec to manage security from the inside out:

  • Grant users the least amount of access they need to accomplish a specific task
  • Verify always – whether users are internal or external
  • Leverage strong technology controls to secure application access

Business process architecture and data flow mapping are critical to enacting Zero Trust protection schemes. Consequently, a significant value add of Zero Trust has enhanced privacy safeguards.

Zero Trust strengthens access controls for the extended enterprise ecosystem including Contractors, Service Providers, and Supply Chain Partners. Managing access to these constituencies in the old “castle and moat” perimeter approach has risks. 

Zero Trust leverages a federation of technologies across the Services, Application, and Infrastructure dimensions of a layered security architecture. It leverages some or all the following technologies:

  • Identity & Access Mgmt. (incl. MFA)
  • Enterprise Mobility Management
  • Privileged Access Management
  • Encryption
  • Software-Defined Perimeter
  • Orchestration
  • Analytics
  • Risk Scoring     

Identity Governance across the enterprise ecosystem is critical to support Zero Trust by managing:

  • Provisioning / Deprovisioning Lifecycle
  • Access Requests
  • Password Management
  • Access Certifications
  • Separation of Duties
  • Identity-centric file access management
  • Identity-centric Cloud Governance
  • Access Analytics and Modeling
  • Principle of Least Privilege
  • Data Security & Privacy

Benefits of Zero Trust include but are not limited to the following:

 

  • Diminishes risk
  • Facilitates cloud migration & workloads
  • Enhances user experience
  • Lowers costs
  • Provides integrated visibility
  • Supports regulatory compliance
  • Reduces complexity
  • Strengthens security & privacy

SDP enforces the need-to-know principle by verifying device posture and identity before access to applications is granted.  Deployment of SDP has gained momentum as a means for enhancing security in hybrid and multi-cloud environments. SDP has been known to effectively combat many common network-based attacks.

SDP extends Zero Trust by controlling access to applications and digital resources dynamically based on all three key dimensions: User Identity, Device Security, and Session Risk. The notion of session risk is used to evaluate and secure every connection attempt based on user Attributes, Behavior, Context, and Role (the Logical side of the “Identity Coin”; Physical side dimensions are Person, Device & Location). This enacts and enforces the principle of “Never Trust, Always Verify”. Pairing trusted devices and user identity enable adaptive, real-time policies to deny access based on risk session risk. This can help proactively prevent compromise and breaches across the enterprise ecosystem.

Finally, we can enable secure migration to the cloud via the Secure Access Service Edge (SASE) approach. SASE entails pivoting from a legacy security approach to a SASE security approach:

 

Legacy Security

Modern SASE Security

Intrusion Detection Systems (IDS)

Identity as a Service (IdaaS)

Data Loss Prevention

Cloud Access Security Brokers (CASB)

Web Security

SSL Inspection & Trust Levels

Threat Intelligence

Dynamic Threat Protection

Sandbox

User Behavior Analytics (UEBA)

Virtual Private Networks (VPN)

Zero Trust Network Access (ZTNA)

Ultimately as CISO’s tap, the trifecta of Convergence, Consolidation & Cost Savings the move to Zero Trust SDP and SASE is accelerating. Another trend fast gaining momentum is the shift from legacy VPN to cloud-friendly Zero Trust Network Access (ZTNA) to strengthen enterprise security and scalability. VPN’s have relatively higher operating costs, lower scalability due to device-based architecture, and weaker security.

Further, dynamic threat protection is further strengthened by security providers banding together in alliances and tightly integrating their platforms to strengthen Zero Trust. One such example is the Spectra Alliance between Okta, Proofpoint, Crowdstrike & Netskope. This trend benefits enterprises and providers.

As companies embrace the cloud, the Internet is becoming a quasi-corporate network. Software-Defined Networking (SD-WAN) is another fast-growing trend. Both these trends support both security and network transformation. The endgame is reduced operating costs as well as greater flexibility and agility.

SD-WAN protects mission-critical network traffic and applications from security vulnerabilities and enterprise threats via segmentation. SD-WAN leverages a broad range of security solutions including next-gen firewalls, content filtering, malware protection, intrusion prevention, and cloud security.

A paradigm shift is needed to address modern security challenges and minimize enterprise risk. Interoperability and Integration across a layered security architecture while leveraging Identity, Zero Trust, and SDP are key tenets to strengthen enterprise security. Collaboration coalitions across the enterprise ecosystem such as the Spectra Alliance benefit all parties.

www.nexteer.com