Leveraging Partner Expertise to Build a Zero-Trust Strategy

Written by Jon Bove
June 9, 2021

Keep building partner trust, but apply the principle of least privilege to networks for security.

Jon Bove

Trust has always been considered an important concept within the realm of cybersecurity. In fact, firewalls were invented with this concept in mind, developed to address the fact that people outside the enterprise network were naturally less trustworthy than those inside it. Zones of trust within networks define what is secure versus what isn’t secure, with most organizations even restricting who has access to critical data and resources.

But while strategies such as these have led organizations to believe that they are fully secure, it’s up to partners to demonstrate that this is simply not the case while helping to build a new strategy – one that involves a zero-trust framework.

The Problem with Trust

Increasingly, organizations are moving toward a zero-trust model as they rethink their security strategies. Take operational technology (OT) environments, for example, which have long relied on inherent trust models because access to their networks was highly restricted. In many of these environments, a user whose device connected to that OT infrastructure was able to access any system. However, the convergence of IT and OT is changing this approach, especially as more devices – many of which control potentially dangerous machinery – connect to the network.

Similar issues exist within traditional IT networks. Using traditional zones of trust, users can freely move between systems and resources. Workflows and applications also move between these zones of trust, and may even move between different ecosystems (i.e., between data centers and the cloud) to access critical data. But when cybercriminals manage to breach perimeter defenses, this movement creates a highly exploitable condition in which they use sophisticated malware to slip under the radar, using the inherent trust in the network to move laterally across it before escalating privileges to move from one area to another.

In the past year, one issue has seemingly risen above the rest for many partners and their customers: Remote work security. With the majority of office workers now accessing critical network resources from outside the network, virtual private network (VPN) connections simply do not provide the level of security required to protect this traffic. Cybercriminals responded to this shift by targeting vulnerable home network systems instead of traditional network devices, looking to ride the VPN connection back into the network. The sevenfold increase in ransomware attacks during the second half of 2020 proves that this was a successful strategy.

Partner Opportunity Around Zero Trust

Considering the ever-expanding nature of enterprise networks, partners must help their customers evolve their strategies to stay ahead of cybercriminals who are doing the same. This can be achieved through the deployment of a zero-trust model.

Zero trust is based on the premise that organizations assume any user or device is compromised, requiring them to continuously authenticate to the network and validate their identity and access. This networking strategy responds to concerns associated with the attack surface’s rapid expansion and introduction of new edges. Further, it determines trust on a per-transaction basis, rather than granting full access to a network segment based on the network location of a user or device. It starts with a default deny-all posture for everyone and everything, requiring verification of users or devices before granting an access request.

This verification starts by taking the user’s identity (role or assigned privileges) and device (personal or corporate) into account. It then incorporates additional attributes and context, such as time, date, geographic location, security patch installation and enablement of specific security tools. Even after verification, only the necessary level of trust is granted, using the principle of least privilege. For example, if a user requests access to an HR application and is verified, they are only given access to that application and nothing else. According to the principle of least privilege, those users and devices receive access only to the resources necessary for completing their job functions – no more and no less.

As organizations move toward zero trust, partners become important resources for their customers. Because partners have documented customer network architectures, worked with asset inventories and helped with risk assessments, they have …