Adaptive Segmentationmicro-segmentation November 16, 2021

Practical Zero Trust Advice for the “Forgotten 5000”

Kelvin Franklin, Field CTO, US West

Zero Trust — the idea of implementing access controls so that by default no user or device is trusted with access to any resource — is now established as a core pillar to a strong digital security strategy.

But for many organizations, Zero Trust seems like a laudable ideal that is effectively out of reach because of limitations in budgets, time and people. I’m speaking specifically about those companies I like to call the “Forgotten 5000” — the 5000 next largest companies after the Fortune 1000.

These companies are big enough to be targets for cybercriminals. But they’re small enough not to have dedicated teams and extensive budgets for IT security. Some of them might have an IT team of just a dozen or so people tasked with covering all aspects of IT — from cell phones and servers to firewalls to Windows upgrades.

To IT and security professionals in these companies, Zero Trust sounds like a great idea that is simply not practical. A comprehensive approach to Zero Trust involving endpoint software, single sign-on services, and more is simply a pipe dream — a costly, time-consuming project that would probably drag on for years even if it were approved. Meanwhile, daily IT operations are demanding attention. And of course, there are security attacks to fend off, infected laptops to clean, and so on.

I understand these companies’ frustrations when IT experts urge them to adopt Zero Trust security as quickly as possible. They can’t — or at least they can’t entirely — right now.

But I do think there’s an important compromise they can strike to achieve many of the advantages of Zero Trust without the burdensome investment in tools and time. To appreciate this compromise, it’s worthwhile reviewing what makes Zero Trust so essential in the first place.

Endpoint Vulnerabilities and Lateral Movement

Zero Trust is important because it addresses two critical aspects of IT security. First, it assumes that cybercriminals and other attackers will go after every IT asset and user account they can find. No device, whether a thumb drive, a smartphone, a laptop, or even a supercomputer, is immune to malware or at least hacking attempts. And no employee is too insignificant to target since any employee, presumably, has access to at least some part of the network and some authorized accounts.

In practical terms, IT teams can’t assume that any IT asset or user account is safe. Attackers will go after them all. They’ll target the CFO with a social engineering attack. But they’ll also go after anyone they can reach through phishing campaigns, brute force password hacks, and other techniques — which brings us to the second aspect of security attacks addressed by Zero Trust models.

Once attackers gain access to an endpoint such as a laptop or server, they don’t stop there. Instead, they use the network capabilities on the vulnerable account to move “laterally” across the network, implanting malware such as ransomware on as many endpoints as possible. Or they do it to find where a company stores its most valuable data, such as product plans, bank account information, or customer records. They might steal that valuable data, or they might encrypt it. But to find it, they need first to engage in “lateral movement.”

Zero Trust addresses both issues. It makes it harder for attackers to break into endpoints in the first place by ensuring that access controls are strict and rigorously enforced. And it minimizes the possibility of lateral movement by configuring endpoints with the fewest possible permissions. That way, even if an attacker gains access to an endpoint, they find themselves trapped there, unable to move.

Micro-Segmentation: Zero Trust Within Reach

Fortunately, all organizations, including the Forgotten 5000, can take advantage of these two principles without adopting a full-scale Zero Trust model.

They can do it by identifying their most valuable data — the organization’s “crown jewels” — and then protecting that data by implementing segmentation and limiting endpoint network traffic to the communications strictly required for business. By focusing on the crown jewels, even a small IT organization can significantly improve its security defenses without implementing a comprehensive Zero Trust architecture.

To protect your company’s “crown jewels” with micro-segmentation, follow this process:

  1. Identify your most valuable data. It might be data that requires protection because of regulations such as GDPR or HIPAA. Or it might be proprietary data that gives your organization its greatest competitive advantage.
  2. Identify the endpoints that are storing that data and the endpoints that can access this high-priority data.
  3. Analyze all user accounts, applications, protocols and ports that can access the data.
  4. Reduce the access to that data to the bare minimum needed for work.

For example, let’s say you decide that your most valuable data is a customer database running on a Windows server. What applications and processes are also running on that server? Which ports are open, and which protocols are allowed? Should SSH be turned on? If so, should it be accessible only from a jump box (a secure endpoint available only to IT administrators)? Should RDP (a protocol used by help desks and malware) be wide open to the entire network, or should it be restricted to specific hosts? Is NetBIOS really needed, or can it be turned off to prevent attackers from using it to gain access to your most valuable data?

By focusing just on your most valuable data, where it’s stored, and how it might be accessed, implementing Zero Trust security controls becomes practical.

How Illumio Can Help

Zero Trust progress is quicker and easier with help from a Zero Trust segmentation solution like Illumio. Without requiring special network appliances, performance-disruptive agents, or other sweeping IT changes, Illumio can monitor your network’s activity and within hours provides a clear understanding of what traffic is reaching your most valuable servers and endpoints.

Illumio also makes it easy to define policies, such as closing RDP ports, and distribute those policies to endpoints for enforcement. You already have built-in firewalls to enforce these policies. Illumio performs the tricky work of translating high-level policies, minimizing access, to specific and detailed firewall rules.

By applying Zero Trust segmentation policies, you can dramatically reduce an attacker’s ability to engage in lateral movement. Even if they gain access to an endpoint, they won’t be able to move freely across the network. Instead, they’ll be trapped in place. And once detected, they can be removed from the endpoint, eliminating the possibility of the attack continuing.

With segmentation and a focus on protecting the “crown jewels,” organizations in the Forgotten 5000 can significantly strengthen security defenses in the short term while taking an important step toward eventually achieving full Zero Trust.

Learn more about how ransomware works and the importance of containing ransomware by preventing lateral movement.

For more information about ransomware and the benefits of Zero Trust segmentation, read the Illumio white paper, How to Prevent Ransomware from Becoming a Cyber Disaster.

Adaptive Segmentationmicro-segmentation
Share this post: