Zeroing in on the zero-trust journey

This article is sponsored by Cloudflare.

The rapid evolution of digital technology has allowed enterprises to do business faster, easier, and with more agility. However, this comes at a price as cyberthreats have also levelled up, leveraging whatever the latest technology has to offer.

As such, concepts like “trust” and “security” are constantly being redefined. What may have worked during pre-pandemic times, may not necessarily apply today, when almost every company has accelerated their digital transformation to meet growing business demands. 

During a Cloudflare-sponsored keynote entitled “The Zero Trust Journey: Where Do We Start?,” organised by Jicara Media as part of the recent IT Security Frontiers 2022 online conference, Antonio Rancan, Solutions Architect, Zero Trust and SASE, APJC at Cloudflare, broke down the nuts and bolts of the zero-trust security concept, which he believed would be the policy of business organisations going forward.

“As we can see, a lot of infrastructure applications and data start to move outside of the data centre and move into the cloud. And this is either through cloud via hyperscale, providers, or cloud by SaaS applications. To be able to offer similar sorts of security services around the perimeter, you now start to have to implement security software at each of these places, as well, which starts to increase complexity,” he said.

Migration challenges

Traditionally, businesses have practised what Rancan referred to as the “castle-and-moat model” of IT infrastructure, which today poses a lot of security risks.

“Essentially, you have built data centres where you rent space inside a data centre that’s physically located in the same city as the office. The officers are there and they connect to these data centres via a private network, often MPLS. Inside the data centres, you have your business applications, or ERP systems, or CRMs, email applications— they all sit inside the data centres and they access securely via this private link. Then you also have your public aspects of the corporate network, which is the public network, the general internet— and between those two, you have a stack of security hardware like firewalls to be able to provide that security in between the two. We call this a perimeter-based architecture,” he explained.

“I like to call it the castle and moat, because once inside this castle, there is an inherent risk here that users can move laterally within the network itself. And that presents a challenge,” he added.

To reduce costs and provide agility around the network, businesses are implementing SD-WAN with bolt-on security, yet with the presence of various cloud platforms and architectures, comes increased complexity as well, Rancan noted.

“One of the challenges that we have (are) these gaps in terms of visibility. Just because the infrastructure and the applications (are) now fragmented, you need to piece together your information, the logs from many different tools, and bring it all together to a seam, which then provides that visibility, but that starts to become complex, and troubleshooting becomes complex as well,” he said.

To remedy this, organisations turn to shadow IT, but that poses even more problems, Rancan pointed out.

“Shadow IT is where services that employees are using are not necessarily being used with the approval, the explicit permission of IT. So it doesn’t have the integration into the corporate security policies or the network traffic flow. That presents a risk at the same time, because applications and infrastructure are everywhere. That leads to poor user experience as well, because of the performance challenges that you have,” he elaborated.

After SD-WAN, businesses usually shift to SASE, according to Rancan.

“The basis of this third generation is that the corporate network will be built on top of the internet. CIOs need a platform that is an integrated service, one that provides security at each of these layers (and) every single location where infrastructure and applications exists, but also returning or restoring the visibility they used to have with the perimeter base networks,” he said.

The next five years

Looking ahead, Rancan enumerated three factors which will affect businesses’ IT infrastructure in the next five years:

  • Increased regulation
  • Remote-first workforces
  • Distributed workloads

“We’re seeing that there’s expanded regulatory compliance pressures. Where the data flows, and the flow from a network perspective, and the tools that you use to mitigate or to ensure that you’re being compliant may not be addressed in the next few years,” Rancan said.

As to the prevalence of remote-first workforces, he clarified that this trend is already observable today in most enterprises.

“It’s probably not a challenge for the next five years, it’s a challenge for today. We are seeing that the remote workforces are starting to become more and more remote, or at least a hybrid of the two,” he said.

“We are seeing applications move away from the data centre already to the public cloud, or to software as a service. But that potentially may also be another trend, which is applications or workloads moving away from the hyperscale cloud providers, and an increase in the amount of distributed serverless edge computing, or edge applications or architectures as well,” he added.

With all these considerations, CIOs are faced with the dilemma of which area to prioritise, and according to Rancan, it’s not just a matter of migrating from a perimeter security model to a full SASE, zero-trust approach.

“The other question here to ask is, ‘Where are the applications and data? Are they delivered by SaaS? Are they on-prem? Are they in the cloud? Or are they moving to a service architecture?’ The key thing here is when implementing zero trust, you need to have a provider, an architecture that is not just as close to the user as possible, but also as close to your applications as possible. It’s not the same as your data centre, where you’ve got stacks of security appliances, all connected to each other, and they’re only a few metres apart. You will have performance challenges as you’re proxying traffic from one data centre to another, from one cloud provider to another, so performance is a key consideration. You need to be as close to the user, you need to be as close to your data as possible. If those two things aren’t close to each other, you need to be able to have a network that’s able to accelerate and improve performance between those sources and destinations,” he explained.

The zero-trust playbook

There are indeed many step ones to consider en route to the zero-trust network, as Rancan had noted, four of which are listed below:

  • Unmanaged users (third-party contractors)
  • Augmentation of existing VPN
  • DNS security
  • Protecting remote workers from internet threats

In the case of unmanaged users, the usual process involves HR onboarding onto the corporate directory, which could result in weeks of lost productivity.

To solve this, Rancan suggested a simpler approach: “The first thing you want to do is implement your trust, but not have to rely, or not have to need your third-party contractors to be added to your corporate directory. A better approach is to use the directories, (or) identity providers of your third parties themselves. They manage the end-to-end identity process. But you can allow access to the corporate applications and manage the policies as to what someone has access to. Implementing zero trust also means that I have the ability to have lateral movement within a network, and they (third-party contractors) only have access to what they should be authorised to access as well.”

Meanwhile, VPN concerns cannot be solved using a one-time big-time migration, Rancan noted.

“The proposal here or the first step here that you can implement is a phased approach to reduce that reliance on the VPN. If you can start to put your high value applications to zero trust, that is going to reduce the reliance on the VPN immediately, and at the same time, increase the security posture of accessing these applications. When your end users start to use your trust, they start to like that user experience, and businesses start to have a buy in. Over time, you can start to increase that zero-trust usage, and that then becomes a norm,” he said.

For DNS security, which will also benefit remote workers accessing critical data, Rancan introduced Cloudflare’s DNS filtering solution called Cloudflare Gateway.

“It’s a matter of implementing security policies to block security risks. And then it’s just a matter of updating the upstream DNS. So this reduces the risk of internet threats. It’s very easy to implement and it’s very much ‘set and forget.’ If you want to build on this, you can then start doing filtering for your remote workers, or implement a full proxy secure web gateway, as well,” he said.

“The journey to SASE looks very, very different depending on the organisation. It can start with implementing zero-trust network access, (or) it can be protecting your users as they go to the internet,” Rancan concluded.