The Challenges Of Moving To Zero Trust

A recent survey from the UK Government has highlighted business concerns over cyber security once again, with 39% of UK businesses identifying a cyber attack in the last year alone. Of those UK businesses who identified an attack, one in five (21%) identified a more sophisticated attack than phishing alone.

Despite its lower prevalence than other attack types, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.

The threat landscape means that many enterprises and SMEs are increasingly looking to adopt a Zero Trust approach - spurred by various international Government mandates. However, many enterprises have legacy technology running across their networks, often critical for business operations, and it is vital that any Zero Trust strategy consider how this will either be fully incorporated, or risks mitigated.
 
The Zero Trust Legacy Challenge
 
A common challenge while adopting Zero Trust is the existing enterprise legacy systems.  Legacy environments are highly likely to have originated with either very little security at all, or security that relied on a perimeter approach - neither of which is ideal territory for any organisation in 2022. All systems require regular maintenance in the form of software patches to close out newly identified vulnerabilities. It is a common expectation however that OS and application vendors will themselves reduce the frequency of, or entirely stop availability of patches for systems that they themselves no longer support. This can leave them more susceptible and open to attack. Furthermore, many cyber security vendors do not sufficiently support legacy operating systems, making it more challenging to incorporate them into the Zero Trust strategy.
 
Another challenge that comes with legacy environments is that it builds a huge resistance to change, with some systems even seen to be ring-fenced and out of scope for many standard security assessment practices. Instead, we often see reliance on broad network-level controls that add little in the way of risk reduction to modern attacks. Security leaders have the crucial role of educating security teams on the importance of modern security approaches and building a culture that reflects a security-first mindset, looking beyond the traditional.
 
Internal Expertise Is A Significant Barrier
 
Indeed, a recent survey from General Dynamics Information Technology found that a key challenge in any Zero Trust implementation is a lack of internal IT staff expertise, with 48% of US federal IT and program managers mentioning it as a problem. That same survey also highlighted another core challenge - legacy infrastructure is hard to replace. More than half (58%) say the biggest challenge to implementing Zero Trust is that existing legacy infrastructures must be rebuilt or replaced. But agencies are making investments in digital transformations with 92% seeing moving to cloud-based solutions as a top priority.
 
There are methods to manage the technical challenge of implementing Zero Trust in a legacy environment, and the first requires very little financial investment. The first step is simple enough in theory, but often more complicated in practice - being to conduct a full audit and a security risk assessment based on that audit. That same UK Government cybersecurity survey found that just over half of UK businesses (54%) have acted in the past 12 months to identify cyber security risks, a figure that should continue to rise in the future. 
 
Audits, Air-gapping & Micro-segmentation
 
The result of the audit and risk assessment should be a clear picture of the wider security state of the network, although it is highly likely in a legacy environment that some elements will be too expensive or complex to replace right away. A key challenge with this in place is to protect the highest risk and most exposed data as a priority. This might be achieved via a variety of techniques, including air-gapping, creating a physical or virtual network to isolate particularly at-risk systems, or implementing new firewall rules.

However, these techniques come with pitfalls that might cost businesses significantly. Firewalls and network level controls alone are insufficient.

They can only act on the data flows they see, typically at the perimeter or at the broader internal environment boundaries, but not between the hosts within a given boundary. They do little for protecting networks outside the office, such as the growth in home working environments spurred on by the pandemic. Here the answer for many has been to hastily roll-out more VPN capacity, often with little control for what is sent across once a user authenticates, or to which systems those individuals often find themselves able to access. This is considered with the knowledge that insider threats remain one of the largest risks for organisations.
 
An effective technique against modern day attacks is micro-segmentation. Most perimeter security solutions (IPS/IDS/Firewalls) focus predominantly on North-South traffic, to and from the Internet. Whereas around 80% of network traffic is East-West or machine-to-machine, which is largely invisible to security teams, with one analyst firm stating that on average only around 10% of internal data centre and cloud traffic is visually mapped.
 
Malware and unauthorised targeted activities already inside the network have been seen to move laterally and remain undetected for days and sometimes close to a year. Micro-segmentation is a technique that evolved from the need to secure data centres, applications, and workloads from advanced threats, where traditional approaches lack granularity or visibility of traffic flows at the network boundaries. Micro-segmentation prevents all non-explicitly authorised communications even between neighbouring hosts within the same network boundary. With workloads additionally now spread across multiple clouds, organisations need to adopt an approach that will help them manage and apply policies consistently across the full hybrid estate.
 
Zero Trust - A Journey Not A Destination

One of the most important points to recognise when moving to a Zero Trust approach is that it is a journey, not a single capability, nor deployed at a single moment in time. This is more so the case where pockets of legacy technologies are concerned. The inertia inherent in identifying, categorising and then migrating away from legacy software and hardware should not be underestimated - it will take time. Indeed, even analyst firm Forrester has estimated that many enterprises' Zero Trust journeys can take up to three years.

Building a strategy around this approach with partners that can demonstrate their understanding of this reality, whilst reaching key early milestone wins is key to longer-term success.

Legacy represents one of the biggest risks, and largest challenges to overcome. It is also one that the use of micro-segmentation as part of your Zero Trust journey represents an opportunity to mitigate, whilst you pick your battles as you phase it out for good.

Kevin Ware-Lane is Regional Manager UK&I at ColorTokens

You Might Also Read: 

Legacy Technology is Undermining How Business Responds To Ransomware:

 

« A Multi-layered Approach To Data Resilience
Are Compromised Passwords Putting Your Company At Risk? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

2|SEC Consulting (2-SEC)

2|SEC Consulting (2-SEC)

At 2|SEC Consulting, we deliver an end-to-end service of cyber and information security solutions which are tailored to each client’s exact security needs.

British Assessment Bureau

British Assessment Bureau

The British Assessment Bureau is an ISO certification body. We check conformity and compliance of companies to recognised ISO standards including ISO 27001.

Zettaset

Zettaset

Zettaset’s XCrypt Data Encryption Platform delivers proven protection for Object, Relational/SQL, NoSQL, and Hadoop data stores…in the cloud and on-premises.

BrandShield

BrandShield

BrandShield is an anti-counterfeiting, anti-phishing and online brand protection solution.

Deepnet Security

Deepnet Security

Deepnet Security is a leading security software developer and hardware provider in Multi-Factor Authentication (MFA), Single Sign-On (SSO) and Identity & Access Management (IAM).

InferSight

InferSight

InferSight can help you design an architecture that takes into account security, performance, availability, functionality, resiliency and future capacity to avoid technological lock in and limitations

BigBear.ai

BigBear.ai

BigBear.ai delivers high-end analytics capabilities across the data and digital spectrum to deliver information superiority and decision support.

BlastWave

BlastWave

BlastWave’s BlastShield integrates three innovative products into a single solution to help prevent inadvertent and intentional attacks.

Trustaira

Trustaira

Trustaira is the first deep tech solution and service company in Bangladesh.

Agile Defense

Agile Defense

Agile Defense is an Information Technology services provider, delivering leading-edge Digital Transformation solutions to the Federal Government.

NetHope

NetHope

NetHope is a membership-based organization serving the international nonprofit humanitarian, development, and conservation sector through digital transformation.

Antivirus Tales

Antivirus Tales

Antivirus Tales offers a platform to resolve all types of antivirus-related issues. The platform also provide various blog articles and informative guides to fix antivirus software errors.

Vana Solutions

Vana Solutions

Vana Solutions is an Information Technology Services company. We help commercial & federal organizations select, adapt, and integrate the right technology solution so you can move faster.

Jitterbit

Jitterbit

Jitterbit integrates critical business processes and enables application development to deliver the experiences and insights needed by enterprises of all sizes to accelerate their digital journey.

Chorology

Chorology

Chorology is a leading provider of intelligently automated, data compliance and posture enforcement solutions.

Efex

Efex

Efex is one of Australia’s leading Managed Technology Solutions providers. We service local companies across Australia, providing accessible, fast and straightforward IT.