Learning
Castles are the quintessential model for most aspects of cybersecurity. For over a thousand years, European rulers and families built strong buildings at the best defense positions to protect themselves and their valuables. A castle was a symbol of wealth, of course, but it was also a symbol of safety and defense. The castle above is Bratislava Castle in Slovakia. From its four corner towers it can view lands in modern day Austria and Hungary while also surveying its own city as it sits on the highest point in the area at the base of the Little Carpathians mountain range. The Danube River runs along side the castle. I visited the castle in 2014 and it is truly a marvel of centuries of engineering dating back to the 9th century. Its foundations and controls are so strong that I believe it could still today be used to defend the city and keep people safe.
In cybersecurity, we often preach against the walled fortress model because of the switch to cloud computing, offsite resources, and the latest shift to a mobile workforce. "The world has changed!" we shout, "and no longer are we able to hide behind a single firewall and consider ourselves secure." Our data assets are spread out and the people who need access to those assets no longer make requests from a single source. However, the walled fortress or walled garden still makes logical sense. We still want to envelope our assets, data, and people behind our castle walls no matter their locations. This is where Zero Trust can play a role in K-12 networks.
Zero Trust is a philosophy. Put simply, the focus is on people and not networks. Whereas in the past we put up roadblocks and connected our network via VPN, cryptographies, and we hardened connections against rogue ports and services, the concept of Zero Trust focuses on identities of users, data, and assets. Permissions are assigned to people, data, and devices, not to networks and communication links.
This is not the place for us to discuss the finer points of Zero Trust and delve into the weeds. My goal is for you to think about the concept of Zero Trust and how you might apply some of the aspects to your own network. In truth, making your network "zero trust" is quite complex but that doesn't mean you can't take a few finer points and adapt them for your schools. Zero Trust is the future. Let's talk about how to start.
Five Steps on the Path to Zero Trust
-
IAM/SSO/MFA
Identity Access Management, Single Sign-On, and Multi-Factor authentication. The heart of Zero Trust is our users. It only makes sense that we focus our primary efforts on determining user identity. Implementing identity tools in your network is essential for user experience, user trust, and it makes user management easier in the long term.
-
SIEM/SOC
Security Information and Event Management. If you are going to protect data, you have to know how it is being accessed, by whom, and what was done. SIEM tools allow a window into user behavior around data. SIEM tools analyze logs and multiple other data types to produce actionable intelligence around data. Monitoring of logs and events is crucial to enforcing policy and identity.
-
Endpoint Protection
We still have endpoints. In a Zero Trust network, endpoints allow less risk to infiltrate a network, but still can pose problems for user identity. Endpoint protection may extend beyond virus/malware scanning to advanced detection methods such as EDR. There are even tools now that can monitor, interpret, and intercept instruction sets before they are sent to a CPU.
-
CASB
From McAfee: "Cloud access security brokers (CASBs) are on-premises or cloud-hosted software that sit between cloud service consumers and cloud service providers to enforce security, compliance, and governance policies for cloud applications. CASBs help organizations extend the security controls of their on-premises infrastructure to the cloud." A CASB vendor also gives us visibility into authorized and non-authorized cloud usage. It can intercept and monitor data traffic between the local network and cloud platform and prevent unauthorized devices, users, and apps from accessing cloud services.
-
Policy
Written policies create expectations for all stakeholders on how users will create, access, share, and destroy data. Policies hold the configuration data for user identity management. Policies give the instructions to maintain CIA. Whether using a CASB or setting up a SIEM or IAM, you need the framework of data and user policies to inform your efforts. A focus on policy will make everything else easier.
Zero Trust is about more than security. It's about user experience. Our users want a seamless experience to access data from anywhere using any device they choose. That kind of data utopia is possible with a Zero Trust Architecture. There would be no more need for a VPN connection to allow access to a network, no more need to use a pre-authorized device only, no more need for users to verify themselves at every turn. The risk of a local device causing havoc reduces because network permissions are not assigned to a device, not to a user. The risk of user compromise is lowered from IAM/MFA. Integrity of data is strengthened when automated monitoring and data policies are verified.
There is yet even more complexity to Zero Trust, but this newsletter scratches the surface enough for us to start thinking about building new virtual castles to protect our assets. We can begin with small steps in the right direction.
|