The Cyber Ecosystem

The world of enterprise cybersecurity is racing toward zero, and the reasons are almost too numerous to count, but we need to make sure this migration doesn’t get bogged down in ecosystem challenges.

“Zero” in this case refers to Zero Trust security architectures built for an era in which everyone is using all kinds of devices from everywhere to access all kinds of applications, but also in which it is difficult to prove anyone is who they say they are. The answer, many believe, is to adopt cybersecurity practices that lead with the fundamental notion of not trusting anyone or anything.

This drastically simplifies security by treating all users, all devices, networks, applications and locations with the same essential sense of caution. Yet, Zero Trust makes the whole business of accessing enterprise resources and managing that access much more complicated.

An Insecure World
The movement toward Zero Trust is the result of several factors, some of which have been apparent for many years. The need for greater cybersecurity protection is inextricably linked to the nature of the evolving and increasing number of threats enterprises face. These threats aren’t just from malicious individuals or groups anymore, but also from state-sponsored attacks aimed at crippling entire industries or governments.

These threats on their own could be enough reason to embrace a new cybersecurity philosophy, but other trends are piling up to force the issue. The ongoing transition to cloud networking and the transformation of software into services are putting the old notion of private networks to rest, as resources, data, and applications live outside the physical walls of the corporate office.

Meanwhile, the number and variety of devices—not only PCs, phones, and tablets, but also the Internet of Things, including automated machines and AI-enabled systems—that need to be connected to enterprise networks and systems continue to expand. In this age, a “user” isn’t always human, but it can be hard to tell the difference.

At the same time, wireless devices with increasingly powerful compute and memory capabilities, along with higher-speed wireless networks, have made it easier for people to connect from almost anywhere and fully access all applications at a high level of quality, collaborating and sharing files with colleagues who also could be working from anywhere.

It all adds up to a world in which traditional network and security boundaries no longer apply. The network edge is vanishing. Usage is no longer centralized in a single-location or corporate LAN where it can be assumed users are already authorized to be there, can be trusted. The threats, attack vectors, and combinations of user and device variables continue to broaden, creating a historically difficult challenge for CISOs.

Zero Trust, Much Complexity
As those factors are spreading beyond the cybersecurity ecosystem’s ability to contain them, new thinking is taking root: Trust no one and treat all users and usage scenarios as potential threats.

That’s what Zero Trust does. For example, a service using Zero Trust employs policies for both “Subject Actors” and “Target Actors” to determine if the Subject Actor is permitted to access the Target Actor and if the latter is willing to accept access from the former. It is important to remember that in a Zero Trust scenario, all interactions are assumed to be malicious, and therefore are locked unless authorized by a policy. If no policy exists for a Subject Actor, that user, application and/or device will be blocked.

A service enforces Zero Trust policies at Policy End Points, which are placed by the service provider where appropriate for a given service, such as within the Subject Actor’s device; the Target Actor, when under control of the service subscriber; or on another networking device such as an SD-WAN Edge Ethernet switch or Wi-Fi access point.

Service subscribers define Access Control Policies that allow Subject Actors to perform operations on a set of Target Actors. An Access Control Policy encompasses both human-readable and machine-readable policy assertions. Identity Management (IdM) systems provided by the Subscriber or a third-party Identity Provider (IdP) may manage the Actor’s identity and those of its delegates. Different Access Control (AC) mechanisms may be used while performing authentication, authorization, accounting and auditing (AAAA) of the Actor and its delegates.

Once authenticated, the service continuously monitors authenticated Subject Actors for policy compliance. When found to be non-compliant, the service reevaluates policies for Actors that may result in a different policy action, such as the Subject Actor being blocked. The service also could reevaluate a policy based on different types of triggers, including context-based, such as blocking a Subject Actor after 30 minutes; event-based, as in the case of blocking a Subject Actor if the Target Actor is found to have been compromised by malware; or data-driven, e.g., a Subject Actor is blocked because machine learning has picked up an anomalous pattern of behavior.

That whole process makes managing Zero Trust a constant challenge. The price of better protection is greater complexity, and other ecosystem challenges add to that complexity.

The Zero Trust concept is decades old, but enterprises have begun to embrace it only recently, finally recognizing that security should be a top priority, and increasing their security spending. Research firm Gartner expected that more than $150 billion would be spent last year on information security and risk management technology.

Technology vendors and service providers are doing the same, investing in new products to support Zero Trust and Secure Access Service Edge (SASE) architectures, which incorporate Zero Trust policies and functions.

However, the fragmented vendor ecosystem is adding even more complexity to the extant challenges of deploying Zero Trust. Many vendors talk past one another, generating market confusion about SASE and Zero Trust definitions and capabilities. Enterprise buyers are forced to compare apples to oranges, often ending up with an accumulation of multiple overlapping products that are complex to integrate and manage. This lack of common language and APIs between systems is one of the biggest pain points for enterprise CISOs.

Zeroing In on Answers
MEF is creating SASE (MEF W117) and Zero Trust (MEF W118) service standards to provide the industry with common language and definitions, which will allow CISOs to compare “apples to apples” when choosing and implementing Zero Trust solutions. Removing some of the complexity allows CISOs to secure digital services regardless of where and how network resources are accessed. These standards ultimately helps the industry achieve interoperability while still allowing competitive differentiation.

In much the same way that enterprise network usage conditions and practices have forever changed, enterprise security is changing too. Zero Trust is helping to create a new mode of thinking around security architecture and defensive measures defined around user identity and context.

Getting this evolution right is important because it brings us that much closer to a future in which identity—like networks, data, and applications before it—will become more decentralized. Web 3.0 promises the benefits of blockchain technology for uses like Decentralized IDs (DIDs), giving greater control to users to establish the details of their identities and define the rules for how their private data can be shared, and which companies and applications can subscribe to engage with them.

Authentication and authorization through Zero Trust is the key to unlocking contextual enterprise access in a world where the old boundaries are quickly disappearing. As it turns out, trusting no one is the best way to help everyone, and MEF’s work will help simplify and reduce the complexity of deploying and managing Zero Trust.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3