Security Think Tank: Yes, zero trust can help you understand attack paths

Security Think Tank: Yes, zero trust can help you understand attack paths

Understanding attack pathways can be a complex task. As the number of technologies required to keep pace with the competition increases all the time, organisations must find a way to simplify the overall process of securing their environment.

One way of dealing with this problem is to implement a zero-trust strategy. Yes, I know, you’ve heard this one before, but please bear with me here as there can be a lot of misinformation on what zero trust is and can ultimately do. Creating a zero-trust strategy (and it is a strategy, not a technological solution) allows you to architect the IT environment so that the “never trust, always verify” sentiment is at the forefront of all network security.

A good zero-trust strategy limits the possibilities open to attackers as it stops lateral movement, which is the mainstay of most cyber attacks. The opportunity to re-architect the IT environment to work as part of a zero-trust strategy will also support the organisation in understanding its whole IT estate, and the interactivity between data, devices and systems.

Additionally, the monitoring side of a zero-trust strategy will, when supported by a strong security operations centre (SOC), provide an overall picture and understanding of the environment and what is happening within it.

“A good zero-trust strategy limits the possibilities open to attackers as it stops lateral movement, which is the mainstay of most cyber attacks”
Paul Holland, Information Security Forum

Zero trust switches the focus of security from the outside-in, to inside-out, starting at the resource level: be that data, assets, application or services (DAAS).

Protecting each discreet resource with a protect surface (a set of protective measures commensurate with the criticality of the resource to the organisation) allows for granular levels of control and visibility. It also restricts the ability to attack other resources – each connection made outside of the resource will trigger another request that would need to be verified, as the connection starts off again as untrusted.

This idea of a protect surface also plays into the hands of organisations that are investing in new technology, ideas and applications. Adding in a new DAAS resource to a zero-trust architected environment becomes a reasonably simple process – once the criticality of the resource is agreed, the protect surface is added to the resource.

By leveraging a zero-trust strategy, implementing the right operational environment and underpinning it with the right technologies, an organisation can understand its environment in detail and enhance its security posture. Importantly, it has the added benefit of being able to secure new resources quickly and simply, aiding the push to change that modern, progressive organisations crave.