The notion of a government information fortress protected by perimeter of digital motes and walls counts for nought when your workforce is mobile and many applications come from cloud. What counts is knowing how to spot and stop intruders, especially when they tunnel up from the inside.
When Australia’s growing government cloud provider community went into overdrive to shout their cyber protection credentials in March, agency senior executives with ringing ears could have been forgiven for reaching for an acronym cheat sheet and a pair of ear plugs.
In the space of a few weeks, some of the world’s biggest infrastructure service providers, local cloud stalwarts managed to propel cloud security firmly onto to centre stage – yet leave more questions than answers hanging in the air.
For every celebrated ‘pure’ cloud migration, there’s another reality for those at the now at the coalface of managing government systems. A plethora of key applications still have many years of on-site service left in, a duality that necessitates a hybrid approach to both modernisation and security, all as the severity and volume of threats increases on a daily basis.
As powerful as cloud can be, the brutal truth is it’s a technology that’s only as effective as its defences when it comes to mitigating internal and external threats as they arise, not in hindsight.
It means traditional models of perimeter protection are now insufficient and need to be urgently rethought well beyond data centre ratings. It needs to go to straight to what users have at their fingertips.
The perishing perimeter
Since the 1990s, orthodox computer defence and information security models have largely revolved around hardening external or ‘perimeter’ defences to close-off gaps or weak points through which intruders could gain unauthorised access.
That model worked when machines had fixed physical locations on usually static networks where users logged on and logged off from allocated desks.
Fast forward to today’s mobile access as default rather than an exception, a proliferation of personal devices and the increased need for authorised and controlled external access for defined periods of time, and it’s not hard to see how the network landscape outgrew firewalls and VPNs.
So whether it’s laptops, smartphones or compromised documents ferried by email or persistent messaging, what really counts today is how far an intruder – increasingly augmented by automated bots and algorithms – can get once they’ve managed to get on the inside.
Protected? Turning security thinking inside out
One of the most pernicious threats the public sector and enterprise faces from obsolete perimeter security postures are positive assumptions of trust once a user has gained entry to a network or system.
The most common and dangerous vector for compromises is allowing access to multiple applications or assets on the basis that the front door, its lock and flyscreen are strong enough to keep out pests smart enough to hitch a ride in with legitimate users – only to then have the run of the house.
Having mitigated and defeated thousands of attacks and attempted intrusions, the world’s largest and most trusted cloud platform Akamai is backing respected research and advisory group Forrester’s position that user access and controls need to be dynamically risk rated and enforced to contain threats.
Zero Trust: better access when and where it’s needed
Known broadly as the ‘Zero Trust Network’ methodology, the approach at its most basic eschews assumptions in favour of evidence gleaned from legitimate behaviour and activity.
Akamai’s Head of Security Technology and Strategy, Asia Pacific, Fernando Serto advocates an approach he dubs “micro-segmentation” where access legitimacy is dynamically risk assessed, checked and challenged if necessary based on an analytics powered profile that happens in the background irrespective of location – but also taking account of parameters like DNS trustworthiness.
He says what Zero Trust specifically addresses for governments is the creation of a security posture that can interoperate with hybrid or heterogeneous computing and network environments, especially around applications, assets and workloads that may traverse public and private cloud and pre-existing infrastructure.
Functionality beats frustration
At a practical level, a Zero Trust Network approach applied to a so-called ‘multi-cloud’ environment works by organisations mapping how users legitimately utilise applications – and then modelling that behaviour so intelligent networks can take account of it to detect abnormalities or suspicious patterns.
This doesn’t mean just locking out people if parameters change; but it can trigger higher levels of validation to safeguard against anomalous, unverified or suspicious requests. Think of it like how a bank likes to check where you are when your credit card is being used overseas.
Serto says building a lucid picture of legitimate behaviour goes a long way to enabling organisational transformation. It streamlines and enhances the effectiveness and value of security controls without having to rework existing infrastructure.
“What we’re working with customers and getting them to do is the profiling of users and applications. So as we build that matrix, the transition to specific user groups onto that new model becomes very simple,” Serto says.
“You either transition applications or you transition groups of users onto that model. It enables people to start that migration without having to plough even more money into the existing security controls that they have in place.
“But the network stays the same from a topology perspective. It’s how you get into your applications, that’s what we’re helping customers change.”
Collaboration where it counts
While the inversion of trust assumptions certainly locks network and application doors where they needn’t be open, it’s essential to recognise that Zero Trust is just as much a workforce productivity enabler as it is a security guardian. There is a tangible payoff.
One of the biggest overheads government organisations face is on-boarding and provisioning for staff. That goes double for staff on secondment, contractors, external stakeholders and members of cross agency teams that must come together quickly and seamlessly.
The major sticking point in this respect has been providing the right access to the right people for the right amount of time. Proper access can take days or even weeks to stand up, often because of the risks of authorisations staying in place after they should. There’s a lag.
But in Zero Trust environment where credentials and control become dynamic and are dialled-up rather than being dialled-down in close to real time, it means teams can come together far more quickly and effectively without fudges or workarounds that can be exploited down the track.
Moving the needle
That’s especially important when people want to keep control of their own devices rather than having to download software agents or machine controls that could and often do conflict with other security settings.
Serto is frank about the security reality of mobile or agile team members.
“The biggest problem with people moving around is that no one really logs a service request to help desk to remove an access. Everyone just asks for more access. What happens in those cases is you end up with users who have way too much access to way too many applications,” he says.
What benefits users and security alike, Serto says, is when managers can say, “That’s user X, his current role today is Y and this group of applications that that role should have access to is Z.”
Zero Trust might be short on assumptions, but in today’s context that may not be such a bad thing.