Following the recent Colonial Pipeline hack in the USA, President Biden issued an Executive Order mandating a move to Zero Trust for all Federal networks. The news is full of hacks and attempted hacks, ransomware demands, and data thefts. So, the question is, why are private systems seemingly so vulnerable and what can be done about it?

Why does Zero Trust matter?

Zero Trust is not a new term; John Kindervag, an industry analyst at Forrester, popularized the term Zero Trust. It was then coined in April 1994 by Stephen Paul Marsh for his doctoral thesis on computational security at the University of Stirling.

The UK’s National Cyber Security Center (NCSC) has set out some design principles, which underpin and potentially guide a Zero Trust approach as follows:

  1. Know your architecture including users, devices, and services.
  2. Create a single strong user identity.
  3. Create a strong device identity.
  4. Authenticate everywhere.
  5. Know the health of your devices and services.
  6. Focus monitoring on devices and services.
  7. Set policies according to value of the service or data.
  8. Control access to services and data.
  9. Don’t trust the network, including the local network.
  10. Choose services designed for Zero Trust.

 

While Zero Trust has developed to mean different things to different people there is a striking contrast between Zero Trust and traditional perimeter-based network security architectures. The latter attempts to create a secure perimeter around a private network but allows ingress (and egress) from “trusted” devices or individuals, who can then move around inside that perimeter.

An analogy which is often used is that of castle walls. Organizations build secure perimeters to protect the assets inside them but then they must punch holes in those perimeters to allow access to and from other networks. That process itself can create weaknesses, but those weaknesses are often compounded by the fact that, once inside the perimeter, lateral movement around the whole private network can then be possible.

As indicated by the NCSC, one of the main principles of Zero Trust is that trust should not be assumed for any part of the network, whether that’s external or the local network.

Zero Trust also sets out that access to systems and devices should only be permitted once authentication has taken place. 

The State of Play

Today, organizations run their networks on premise, in multi cloud and hybrid environments and rely on the public internet to provide connectivity pathways between their assets. Networks are generally a much more complex blend of systems and assets than they were 10 years ago. Open accessibility presents significant challenges for organizations that need to run private networks and connectivity utilizing the public internet

Moreover, access is required to private systems by remote workers, supply chains, third parties and contracts based all over the World. All of this has been compounded by a rise in remote working and the proliferation of shadow IT and Bring Your Own Device (BYOD).

One of the challenges is that the internet was built to be open and accessible which is great for many applications. However, that open accessibility presents significant challenges for organizations that need to run private networks and connectivity utilizing the public internet. The architecture that typically underpins connections over the internet is generally “connect then authenticate”. This means that anyone, anywhere, anytime can connect to a private system and try to get in.

For example, today the internet enabled device search engine Shodan shows there are currently over 4,000,000 VPN devices currently discoverable on the public internet, listening and waiting for “connect then authenticate” from anyone, anywhere. However, a VPN server is a private system, so why is it openly accessible on the public internet for anyone to connect to? This goes for a whole range of private systems from IoT devices to database servers!

Moving Forward

With a Zero Trust approach, connection is only allowed once defined trust standards have been met. That “authenticate then connect” architecture effectively renders private systems invisible to the public internet. Moreover, similar principles apply once connection has been allowed.

Zero Trust defines that lateral movement is not assumed, as systems can only connect to each other once they have been authorized to do so. This micro segmentation of the network through the prevention of unauthorized lateral movement is an important risk mitigation, which means that even if there is an unauthorized breach of the network potential damage can be limited by preventing unauthorized lateral movement.

There are a range of vendors with varied solutions that can deliver part of the Zero Trust approach but its important to recognize that, with Zero Trust, there is no one solution or “silver bullet” to deliver it; rather Zero Trust is an overarching philosophy and a number of core principles, which should guide the approach taken in enterprises.

Use cases for Zero Trust are many and varied but for example Zero Trust Overlay Networks, a B2B SAAS provided by Enclave Networks, is especially suited to managing secure connectivity in multi cloud environments because it facilitates networks without the need to constantly be adjusting the networking settings of different Cloud platforms, while simultaneously making all connections invisible to the public internet.

Download PDF version Download PDF version

Author profile

David Notley CEO and Co-Founder, Enclave

Written by David Notley, CEO and Co-Founder of Enclave Networks, which has developed patented Zero Trust Overlay Network B2B SAAS. David’s background in is Venture Capital and he has built and exited from a number of businesses.

Enclave Networks are one of just four companies Globally working on Zero Trust Overlay Networks which create secure private networks which are invisible to the public internet, and which can be layered on top of existing network infrastructure meaning less time consuming and error prone network administration. More information can be found at enclave.io

In case you missed it

What Are New Trends In Residential Security?
What Are New Trends In Residential Security?

Residential security and smart homes are rapidly changing facets of the larger physical security marketplace, driven by advances in consumer technology and concerns about rising crime rates. During the COVID-19 pandemic, many people spent more time at home and became more aware of the need for greater security. As workplaces opened back up, returning workers turned to technology to help them keep watch over their homes from afar. We asked this week’s Expert Panel Roundtable: What are the trends in residential security in 2021?

How Businesses Can Protect Their People In The New Age Of Work
How Businesses Can Protect Their People In The New Age Of Work

Ensuring employee health and safety remains a key priority for organizations this year, especially as we see COVID-19 cases continue to rise in different areas of the world. As an ongoing challenge, COVID-19 has shifted the priorities of many organizations. In fact, “improving health and safety for employees” is the top strategic goal this year of manufacturing and logistics organizations in the U.S. and U.K., according to research conducted by Forrester on behalf of STANLEY Security. But as we think about reopening and as hybrid workforce models and “workspace-on-demand” approaches rise in popularity, leaders need to consider implementing the right technologies to help ensure a safe return to the office. This means investing in health, safety, and security solutions that can help leaders protect their people. The intersection of security technology and health and safety There’s no doubt that the scope of security has expanded in the wake of the global pandemic. What was once an area governed by a select few security or IT professionals within a business has now become a crucial company investment involving many key stakeholders. The role of security has expanded to encompass a broader range of health and safety challenges for businesses Additionally, the role of security has expanded to encompass a broader range of health and safety challenges for businesses. Fortunately, security technologies have made significant strides and many solutions, both existing and new, have been thrust forward to address today’s biggest business challenges. Investment in security technology It’s important to note that businesses are eager to adopt tech that can help them protect their people. Nearly half (46%) of organizations surveyed by Forrester report that they’re considering an increasing investment in technology solutions that ensure employee safety. Technologies like touchless access control, visitor management systems, occupancy monitoring, and installed/wearable proximity sensors are among some of the many security technologies these organizations have implemented or are planning to implement yet this year. Facilitating a safe return to work But what does the future look like? When it comes to the post-pandemic workplace, organizations are taking a hard look at their return-to-work strategy. Flexible or hybrid workforce models require a suite of security solutions to help ensure a safer, healthier environment More than half (53%) of organizations surveyed by Forrester are looking to introduce a flexible work schedule for their employees as they make decisions about returning to work and keeping employees safe post-pandemic. Such flexible – or hybrid – workforce models require a suite of security solutions to help ensure a safer, healthier environment for all who traverse a facility or work on-site. One of the central safety and security challenges raised by these hybrid models is tracking who is present in the building at any one time – and where or how they interact. Leveraging security technology With staggered schedules and what may seem like a steady stream of people passing through, it can be difficult to know who’s an employee and who’s a visitor. Access control will be key to monitoring and managing the flow of people on-site and preventing unauthorized access. When access control systems are properly integrated with visitor management solutions, businesses can unlock further benefits and efficiencies. For instance, integrated visitor management systems can allow for pre-registration of visitors and employees – granting cellphone credentials before people arrive on-site – and automated health screening surveys can be sent out in advance to help mitigate risk. Once someone reaches the premises, these systems can also be used to detect the person’s temperature and scan for a face mask, if needed.  We will likely see these types of visitor management and advanced screening solutions continue to rise in popularity, as 47% of organizations surveyed by Forrester report that they’re considering requiring employee health screening post-pandemic. Defining the office of the future A modern, dynamic workforce model will require an agile approach to office management. It’s imperative to strike the right balance between making people feel welcome and reassuring Businesses want to create an environment in which people feel comfortable and confident – a space where employees can collaborate and be creative. It’s imperative to strike the right balance between making people feel welcome and reassuring them that the necessary security measures are in place to ensure not only their safety but also their health. In many cases, this balancing act has created an unintended consequence: Everyone now feels like a visitor to a building. Protocols and processes With employees required to undergo the same screening processes and protocols as a guest, we’ve seen a transformation in the on-site experience. This further underscores the need for seamless, automated, and tightly integrated security solutions that can improve the employee and visitor experience, while helping to ensure health and safety. Ultimately, the future of the office is not about what a space looks like, but how people feel in it. This means adopting a “safety-always” culture, underpinned by the right technology, to ensure people that their safety remains a business’ top priority. 

Access The Right Areas - Making A Smart Home Genius With Biometrics
Access The Right Areas - Making A Smart Home Genius With Biometrics

Household adoption of smart home systems currently sits at 12.1% and is set to grow to 21.4% by 2025, expanding the market from US$ 78.3 billion to US$ 135 billion, in the same period. Although closely linked to the growth of connectivity technologies, including 5G, tech-savvy consumers are also recognizing the benefits of next-generation security systems, to protect and secure their domestic lives. Biometric technologies are already commonplace in our smartphones, PCs and payment cards, enhancing security without compromising convenience. Consequently, manufacturers and developers are taking note of biometric solutions, as a way of leveling-up their smart home solutions. Biometrics offer enhanced security As with any home, security starts at the front door and the first opportunity for biometrics to make a smart home genius lies within the smart lock. Why? Relying on inconvenient unsecure PINs and codes takes the ‘smart’ out of smart locks. As the number of connected systems in our homes increase, we cannot expect consumers to create, remember and use an ever-expanding list of unique passwords and PINs. Indeed, 60% of consumers feel they have too many to remember and the number can be as high as 85 for all personal and private accounts. Biometric solutions strengthen home access control Biometric solutions have a real opportunity to strengthen the security and convenience of home access control Doing this risks consumers becoming apathetic with security, as 41% of consumers admit to re-using the same password or introducing simple minor variations, increasing the risk of hacks and breaches from weak or stolen passwords. Furthermore, continually updating and refreshing passwords, and PINs is unappealing and inconvenient. Consequently, biometric solutions have a real opportunity to strengthen the security and convenience of home access control. Positives of on-device biometric storage Biometric authentication, such as fingerprint recognition uses personally identifiable information, which is stored securely on-device. By using on-device biometric storage, manufacturers are supporting the 38% of consumers, who are worried about privacy and biometrics, and potentially winning over the 17% of people, who don’t use smart home devices for this very reason. Compared to conventional security, such as passwords, PINs or even keys, which can be spoofed, stolen, forgotten or lost, biometrics is difficult to hack and near impossible to spoof. Consequently, homes secured with biometric smart locks are made safer in a significantly more seamless and convenient way for the user. Biometric smart locks Physical access in our domestic lives doesn’t end at the front door with smart locks. Biometrics has endless opportunities to ease our daily lives, replacing passwords and PINs in all devices. Biometric smart locks provide personalized access control to sensitive and hazardous areas, such as medicine cabinets, kitchen drawers, safes, kitchen appliances and bike locks. They offer effective security with a touch or glance. Multi-tenanted sites, such as apartment blocks and student halls, can also become smarter and more secure. With hundreds of people occupying the same building, maintaining high levels of security is the responsibility for every individual occupant. Biometric smart locks limit entry to authorized tenants and eliminate the impact of lost or stolen keys, and passcodes. Furthermore, there’s no need for costly lock replacements and when people leave the building permanently, their data is easily removed from the device. Authorized building access Like biometric smart locks in general, the benefits extend beyond the front door Like biometric smart locks in general, the benefits extend beyond the front door, but also throughout the entire building, such as washing rooms, mail rooms, bike rooms and community spaces, such as gyms. Different people might have different levels of access to these areas, depending on their contracts, creating an access control headache. But, by having biometric smart locks, security teams can ensure that only authorized people have access to the right combination of rooms and areas. Convenience of biometric access cards Additionally, if building owners have options, the biometric sensors can be integrated into the doors themselves, thereby allowing users to touch the sensor, to unlock the door and enter. Furthermore, the latest technology allows biometric access cards to be used. This embeds the sensor into a contactless keycard, allowing the user to place their thumb on the sensor and tap the card to unlock the door. This may be preferable in circumstances where contactless keycards are already in use and can be upgraded. Smarter and seamless security In tandem with the growth of the smart home ecosystem, biometrics has real potential to enhance our daily lives, by delivering smarter, seamless and more convenient security. Significant innovation has made biometrics access control faster, more accurate and secure. Furthermore, today’s sensors are durable and energy efficient. With the capacity for over 10 million touches and ultra-low power consumption, smart home system developers no longer have to worry about added power demands. As consumers continue to invest in their homes and explore new ways to secure and access them, biometrics offers a golden opportunity for market players, to differentiate and make smart homes even smarter.