Zero Trust is rapidly gaining popularity as a philosophy implemented by organizations of all sizes. The idea of trusting no person or device may sound somewhat draconian, so the concept of ‘always verify’ is often applied. However, there will inevitably be times when sources cannot be verified, so the mantra “verify where you can and block where you can’t” applies.
While Zero Trust started as a concept of protecting your most valuable assets using the DAAS approach (data, applications, assets and services), most of which existed in the data center or cloud, recently the endpoint has increasingly been included, as it does hold data and applications, it is an asset and it uses a wide variety of services.
That said, the challenge with endpoints is that they are not always safely locked in a secure area – they can move. In many cases, endpoints move to environments that can potentially be very dangerous, including a home network. We generally feel very safe at home, but there is no door entry system to track who enters and leaves. We share the network and workspace with games consoles, CCTV, music systems, other unprotected workstations and, as a result, a whole host of potential threats.
Ideally, a home worker would have their work laptop in a locked room, hardwired into its own network on a separate broadband connection connected via a secure VPN. But as we know, this is generally not the way things are, and so the concept of Zero Trust for endpoint security is more relevant than everyone believes.
This begs the question: how can we implement and enforce Zero Trust for endpoint security, not only on campus, but for the huge (and growing) number of remote workers?
First, we should understand what the potential threats are:
- The home network – this has grown from 2 or 3 PCs to a broad mix of IT and OT. The number of devices on the network has grown to around 20, each of which will have its own connection to a remote service. Very few homes have a high-quality firewall and almost no service providers offer a cloud-based next-generation firewall service. Equally, the endpoint security available to home users is legacy, meaning it is often heavy, slow, and causes many to turn it off or not install it in the first place.
- Public WiFi – almost everywhere we go, from hotels to buses, now offers a WiFi service. The potential for fake access points and man-in-the-middle (MitM) attacks are enormous.
- Connecting to the corporate network – while the corporate network itself should not be a threat because of other environments, we become the threat. Our laptop could have become infected, and as soon as we connect to the corporate network either directly or remotely, we can launch malware into our own organization.
So, how can we use verify or block to comply with the Zero Trust approach? Here are a few things to keep in mind:
- Ensure that machines and people are who they say they are. Use multi-factor authentication (MFA) to verify users and devices. Identity is often described as the ultimate perimeter of the network and, to a certain extent, this is true. In most systems, it is best to decouple security from the network and identity is no exception as it then becomes completely portable to all environments.
- While remote, connect all users via VDI or VPN.
- Virtual desktops or remote desktops can provide a secure and simple connection for most users. As the applications never exist on the endpoint, it is difficult for malware to propagate to the corporate network. However, it is important to make sure that the backend environment is properly segmented to stop any threats accessing the wider systems.
- VPNs are widely used by organizations to provide a secure connection that replicates the corporate network. Most will check that the endpoint has up-to-date patches and security signatures before allowing the connection to be made. VPNs can cause some performance issues if everything needs to be backhauled to the home network. To solve this, a new class of system called Secure Access Service Edge (SASE) has emerged that uses local cloud access to provide secure remote connection.
- Make sure that all endpoints have next-generation endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions installed. Modern lightweight systems use a combination of threat analysis and behavioral analytics to identify and stop known and unknown malware.
- Apply endpoint segmentation. One of the key tenets of Zero Trust is micro-segmentation and this applies equally to endpoints. Micro-segmentation on the endpoint stops the propagation of peer-to-peer threats by only allowing the required applications.
The combination of these systems should protect both the endpoint and other users in either campus or remote environments. While MFA and VPNs are all about verification, the combination of EPP and micro-segmentation stops the threat. If while at home a user acquires some malware, it can sit and do nothing for weeks. If it does nothing, it is very difficult to detect. Once the device is connected to the corporate environment, however, the malware may try to move to other hosts or endpoints looking for a system that is unprotected or unpatched.
Once malware has escaped from the originating system and is on the loose, containment is key. Even the best endpoint security systems can take a few minutes to detect a threat and in this time, malware can move far and wide.
The use of endpoint segmentation like Illumio Edge prevents the wide-scale propagation of malware by applying Zero Trust whitelist rules to the communication between systems, only allowing authorised applications and systems to communicate. This will contain any threat while the rest of the security infrastructure identifies and remediates the attack.
For more information on how Illumio Edge works: