A Target for Hackers
On the morning of 19 December 2013, the US-based retail giant Target Corporation issued a statement about a security breach that had compromised payment card data in its stores. As the story unfolded, it emerged that the breach had compromised 11GB of data containing 40 million stolen payment card credentials and 70 million customer records from Target’s PoS terminals – a scale that was unheard of at the time. The ensuing aftermath resulted in the resignation of then CEO Gregg Steinhafel and in their 2016 Annual Report, Target pegged the total cost of the breach at $292M.
What is interesting is how the hackers were able to get access to the PoS terminals. Investigators found that Target had outsourced the maintenance of its HVAC and refrigeration systems to a third-party contractor and enabled remote access for them into the Target network. The thieves compromised these credentials through a phishing attack. Once they had access into the Target network, they reached the PoS systems, and installed malware on the terminals. The rest, as they say, is history. The Target breach is a brilliant example of the costs of improper network segmentation.
Exploding Devices and Zero Trust
In the Enterprise, we have users connecting to the network to access workplace resources. Increasingly, we also have other devices getting connected – printers, badge readers, manufacturing controllers, HVAC systems and so on. The list starts to explode when you count in IoT and connected OT devices.
Broadly speaking, a Zero Trust strategy for the workplace must address authentication, authorization, segmentation and monitoring trust across all devices. In my second blog, I covered the fundamentals of securing users and their devices. There is, however, a big difference between devices used by the workforce, and the equipment connected in the workplace.
Zero Trust in the Workplace
The principles of enforcing trust on access to end-user applications do not translate to printers or badge readers. Traditionally, such access has been controlled at the point of connection to the network using a combination of soft attributes like IP/MAC Address and Port number – which are easily spoofable. For a Zero Trust approach, the decision must be made on several factors including identity and behavior, which must be verified regularly. The best approach is through software-defined access control built with 802.1x and certificate-based authentication.
The second important principle in Zero Trust for the Workplace is group-level segmentation. Once authenticated and identified, the device is placed in its own group and segment based on its role – irrespective of IP Address or Physical Location. Further, policies are put in place on the network to define which group can talk to network resources, and other devices. Starting in the LAN, this segmentation can be carried forward through the corporate network across the WAN and into the Data Center, creating end-to-end separation of traffic for devices of different types. This is an effective way of segregating business-critical traffic and resources from administrative ones. In the event of a compromise the malicious traffic is contained in its own segment, and therefore damage is limited.
In summary, implementing Zero Trust Security for the Workplace entails the following steps:
1. ESTABLISH TRUST
Discover workplace systems, users and applications – including IoT and OT. Establish their identity, role and operation on the network.
2. GAIN NETWORK VISIBILITY
Understand and document user, device and application communications and network flows. This will give you a view of what “normal” looks like.
3. IMPLEMENT NETWORK ACCESS CONTROL
Configure and enforce authentication and authorization at the network layer for all users, devices and applications. Conversely, deny access to any unauthorized users or devices that attempt to connect.
4. DEPLOY SEGMENTATION POLICIES
Define groups of users, devices and applications, and enable only those connections that are required by the business.
And of course, as with any security deployment, continuous monitoring and improvement is key to a successful Zero Trust implementation – to account for changes in devices, capabilities and organizational needs.
And that rounds off the series on implementing Zero Trust Security in the modern Enterprise. Hopefully, this gives you a simple approach that you can layer on top of your existing infrastructure, without the need to reinvent it.
Moving on, we will cover other security threats in the Enterprise, and how to defend against them.