The rise of hybrid work environments has widened the attack surface for adversaries. Zero-trust architecture is critical to securing functional operations.

Matt Bromiley, SANS Certified Instructor

May 18, 2023

5 Min Read
zero-trust abstract
Olivier Le Moal via Alamy Stock

The proliferation of cybercrime has accelerated in recent years despite widespread commitments to strengthening security posture across the public and private sectors. The US federal government, which just released a new national cyber strategy in early March, has been increasingly sounding the alarm on the ramifications of poor cyber resilience since the Biden Administration’s Executive Order in May 2021. Global spending on best-of-breed security solutions and AI-enabled machine learning tools reached record highs in 2022. And even amidst the socioeconomic headwinds of our current market conditions, Gartner still forecasts that security and risk management investments are slated to grow by 11% through the end of 2023 -- equating to more than $183.3 billion.

Yet adversarial threat actors continue to seemingly bypass stringent security implementations with ease. The paradoxical discrepancy is largely rooted in misalignment between common security controls and the evolving cyber threat landscape. With the societal adoption of remote and hybrid work environments following COVID-19, organizations have integrated the use of cloud technologies, services, and third-party applications into functional operations at a rapid scale.

This new way of working expanded the attack surface exponentially, giving adversaries a wider range of external vulnerabilities to target via social engineering campaigns and malware-based attacks. From the emergence of new business collaboration channels like Slack and Microsoft Teams to the meteoric rise of remote IoT devices, an organization’s digital footprint is more exploitable than ever.

Compounding the issue is that many companies have invested in security stacks originally designed to defend complex on-premises environments, not the unstructured data assets of their cloud-based business ecosystems. Given the heightened sophistication and funding of modern cybercrime, organizations must operate under the presumed assumption that their network will be breached -- meaning it’s not a matter of if, but when.

To align with these changing dynamics, it’s critical to shift away from the legacy perimeter-based controls of the past in favor of a more agile zero-trust architecture (ZTA) that restricts adversaries from causing irremediable damage after that inevitable breach occurs.

The Building Blocks of ZTA

When approaching the integrated adoption of a successful ZTA model, it’s first important to remember that the inherent concept of zero trust extends beyond any single element or control. It’s rather a prescribed way of being that weaves security into every layer of the enterprise and guidelines efficient mitigation in the wake of compromise. Removing implicit trust and, in turn, access to specific privileges based on that trust reduces the ability of a compromised account to wreak havoc within the organization’s digital ecosystem. Consider it defense in-depth.

Achieving a true zero-trust environment is not a light switch scenario by any means. ZTA requires a complete architectural overhaul comprised of calculated planning, integration, access/operations management, and verification mechanisms. It certainly cannot be accomplished with an eye for old practices.

The foundational components of ZTA include identifying/inventorying enterprise assets, determining access policies, establishing where those policies should be implemented, and then controlling how they are maintained. That said, ZTA adoption can only begin with end-to-end visibility into an organization’s existing digital infrastructure to identify what assets are of highest value to adversaries. The more attractive the asset, the tighter access policies in place.

For a healthcare system, an example of high-value asset could be sensitive patient medical records containing personally identifiable information. For a financial institution, it could be data logs detailing the third-party vendor transactions and bank account numbers of a large enterprise. For governmental agencies, it could be confidential intelligence relative to matters of public safety. It all depends on the conditions that are unique to the organization’s security environment, but regardless of size or sector, they have a responsibility to defend their assets from being leveraged for malicious intent.

Securing the Hybrid Attack Surface

Many enterprises that transitioned from on-premises to hybrid work environments still rely on virtual private networks (VPN) that grant remote users shared access to a myriad of end points and applications. But if a ransomware actor were to steal the right account with the right permissions through an email-borne phishing scheme, that VPN would essentially be rendered useless. After bypassing the narrow perimeter protections, there’s nothing stopping them from utilizing the compromised account to encrypt and exfiltrate sensitive data for extortion.

But if that same enterprise had a ZTA model layered within their security environment, access determinations would instead be defined at a centralized policy decision point (PDP) and scaled to the individual user on the principle of least privilege. This time, after the ransomware actor gained access to stolen credentials, a policy enforcement point (PEP) system continuously monitoring the account’s activity would already be positioned to identify suspicious behaviors and subsequently terminate the session in real time -- thus mitigating the breach’s impact. The policies maintained by the PDP/PEP determine per session which assets each user should and should not access based on certain key criteria. In conclusion, it’s clear that adversaries have found far too much success attacking today’s modern enterprises. Even though we continue to see organizational growth and infrastructure implementations followed by new security tooling and security controls, threat actors continue to find vulnerabilities to capitalize on. These matters are further complicated when we consider the implications of the past 24 to 36 months from a computing and enterprise architecture perspective.

With ZTA adoption, however, all hope is not lost. Organizations with a vast array of resources, systems, applications, and data on a global scale need a security model that can grow at the rate the organization wants to move -- not a rate that hinders growth or creates gaps for adversaries to exploit.

About the Author(s)

Matt Bromiley

SANS Certified Instructor

Matt Bromiley is a SANS certified instructor and principal incident response consultant at a top digital forensics and incident response (DFIR) firm. On June 9, he will be leading a free Zero Trust Webcast during the SANS Cyber Solutions Fest 2023. Learn more and register here.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights