Given current global events, many organisations are in the process of executing business continuity plans at a scale and for a duration they had neither envisaged or planned for, often resulting in rapid digital transformation, with increased employee mobility and expanding use of cloud services. For many, this has been an acceleration of the adoption of technology and new ways of working, with COVID-19 driving a cultural change that even the most evangelical digital transformation teams could not previously achieve.
For some, these barriers to transformation have included the skills gap that new technologies can introduce, as well as our often-misplaced comfort in the security of business and culture as usual. The idea that traditional perimeter-based security is by default the best organisational IT paradigm has been challenged for decades, with much of the early debate led by the Jericho forum. However, the model has continued to persist and dominate, typically irrespective of how well it serves an organisation or their growth.
As pointed out by the National Cyber Security Centre (NCSC), the detection and prevention of lateral movement undertaken subsequent to an initial compromise has remained one of the major cyber security challenges. Environments designed to trust resources on the basis of their access to the corporate network, can provide easy pickings to an adversary, once they have compromised the most vulnerable of end users, whether they are at a corporate desktop or not.
The NCSC now recommends considering adopting the Zero Trust Architecture (ZTA) approach to the deployment of new systems, to achieve enduring confidence in the integrity and identity of users and devices at the point of access to IT services, placing no trust in the underlying network infrastructure. The Zero Trust Architecture model emphasises that organisations should not automatically trust users or assets, irrespective of location.
The NCSC also points out the potential security benefits of consuming well configured cloud platforms and services, which can offer robust data security controls, and provide intrinsic resilience. While some experienced IT practitioners have maintained a healthy distrust of all things cloud, the cloud platform providers have continued to invest heavily in the technical controls and processes that underpin their platforms.
Amazon for example have stated that while they are not a security company, security is a fundamental aspect of what they do. When things go wrong at the scale that Amazon operates, the corresponding liabilities are of course eye-watering. Which is why Amazon, along with other platform providers, will continue to lead important areas of security research, such as formal system verification. These investments should provide comfort to potential customers weighing the pros and cons of cloud versus their own on-premise cyber capabilities. One important caveat remains of course, that even the best cloud platforms can always be configured and used insecurely.
The increasing popularity of network architectures designed for more distributed and diverse resources accessing cloud services are in turn driving the maturity of the associated technologies. Zero Trust is currently a set of high-level principles, as opposed to well defined and agreed protocols. A Zero Trust architecture provides no inherent trust in the network, but requires establishing confidence in each service request, achieved by building context through strong authentication, authorisation, device health, and value of the data being accessed. An NCSC project referred to as CloudClient, demonstrated an architecture for achieving complete confidence in device identity, as well as the integrity of all installed software components, allowing a remote attestation protocol to control access to services based on strong device health measurements that are transparent to the user. The resulting capability is being used successfully across UK Government and its private sector partners.
The recent widespread need to extend remote working has required many organisations to digitally transform and look afresh at the opportunities presented by cloud services and products, and the different architectural approaches for securely accessing them. If approached well, the result can be a staged migration to embrace concepts such as Zero Trust, providing the associated security benefits in a more viable manner than its wholescale adoption for an organisation operating in business as usual mode.
Here at Becrypt we are working with organisations in the public and private sector, helping rapidly scale remote working capability, using Zero Trust, and secure cloud principles.