The Cyber Ecosystem

The world of enterprise cybersecurity is racing toward zero, and the reasons are almost too numerous to count, but we need to make sure this migration doesn’t get bogged down in ecosystem challenges.

“Zero” in this case refers to Zero Trust security architectures built for an era in which everyone is using all kinds of devices from everywhere to access all kinds of applications, but also in which it is difficult to prove anyone is who they say they are. The answer, many believe, is to adopt cybersecurity practices that lead with the fundamental notion of not trusting anyone or anything.

This drastically simplifies security by treating all users, all devices, networks, applications and locations with the same essential sense of caution. Yet, Zero Trust makes the whole business of accessing enterprise resources and managing that access much more complicated.

An Insecure World
The movement toward Zero Trust is the result of several factors, some of which have been apparent for many years. The need for greater cybersecurity protection is inextricably linked to the nature of the evolving and increasing number of threats enterprises face. These threats aren’t just from malicious individuals or groups anymore, but also from state-sponsored attacks aimed at crippling entire industries or governments.

These threats on their own could be enough reason to embrace a new cybersecurity philosophy, but other trends are piling up to force the issue. The ongoing transition to cloud networking and the transformation of software into services are putting the old notion of private networks to rest, as resources, data, and applications live outside the physical walls of the corporate office.

Meanwhile, the number and variety of devices—not only PCs, phones, and tablets, but also the Internet of Things, including automated machines and AI-enabled systems—that need to be connected to enterprise networks and systems continue to expand. In this age, a “user” isn’t always human, but it can be hard to tell the difference.

At the same time, wireless devices with increasingly powerful compute and memory capabilities, along with higher-speed wireless networks, have made it easier for people to connect from almost anywhere and fully access all applications at a high level of quality, collaborating and sharing files with colleagues who also could be working from anywhere.

It all adds up to a world in which traditional network and security boundaries no longer apply. The network edge is vanishing. Usage is no longer centralized in a single-location or corporate LAN where it can be assumed users are already authorized to be there, can be trusted. The threats, attack vectors, and combinations of user and device variables continue to broaden, creating a historically difficult challenge for CISOs.

Zero Trust, Much Complexity
As those factors are spreading beyond the cybersecurity ecosystem’s ability to contain them, new thinking is taking root: Trust no one and treat all users and usage scenarios as potential threats.

That’s what Zero Trust does. For example, a service using Zero Trust employs policies for both “Subject Actors” and “Target Actors” to determine if the Subject Actor is permitted to access the Target Actor and if the latter is willing to accept access from the former. It is important to remember that in a Zero Trust scenario, all interactions are assumed to be malicious, and therefore are locked unless authorized by a policy. If no policy exists for a Subject Actor, that user, application and/or device will be blocked.

A service enforces Zero Trust policies at Policy End Points, which are placed by the service provider where appropriate for a given service, such as within the Subject Actor’s device; the Target Actor, when under control of the service subscriber; or on another networking device such as an SD-WAN Edge Ethernet switch or Wi-Fi access point.

Service subscribers define Access Control Policies that allow Subject Actors to perform operations on a set of Target Actors. An Access Control Policy encompasses both human-readable and machine-readable policy assertions. Identity Management (IdM) systems provided by the Subscriber or a third-party Identity Provider (IdP) may manage the Actor’s identity and those of its delegates. Different Access Control (AC) mechanisms may be used while performing authentication, authorization, accounting and auditing (AAAA) of the Actor and its delegates.

Once authenticated, the service continuously monitors authenticated Subject Actors for policy compliance. When found to be non-compliant, the service reevaluates policies for Actors that may result in a different policy action, such as the Subject Actor being blocked. The service also could reevaluate a policy based on different types of triggers, including context-based, such as blocking a Subject Actor after 30 minutes; event-based, as in the case of blocking a Subject Actor if the Target Actor is found to have been compromised by malware; or data-driven, e.g., a Subject Actor is blocked because machine learning has picked up an anomalous pattern of behavior.

That whole process makes managing Zero Trust a constant challenge. The price of better protection is greater complexity, and other ecosystem challenges add to that complexity.

The Zero Trust concept is decades old, but enterprises have begun to embrace it only recently, finally recognizing that security should be a top priority, and increasing their security spending. Research firm Gartner expected that more than $150 billion would be spent last year on information security and risk management technology.

Technology vendors and service providers are doing the same, investing in new products to support Zero Trust and Secure Access Service Edge (SASE) architectures, which incorporate Zero Trust policies and functions.

However, the fragmented vendor ecosystem is adding even more complexity to the extant challenges of deploying Zero Trust. Many vendors talk past one another, generating market confusion about SASE and Zero Trust definitions and capabilities. Enterprise buyers are forced to compare apples to oranges, often ending up with an accumulation of multiple overlapping products that are complex to integrate and manage. This lack of common language and APIs between systems is one of the biggest pain points for enterprise CISOs.

Zeroing In on Answers
MEF is creating SASE (MEF W117) and Zero Trust (MEF W118) service standards to provide the industry with common language and definitions, which will allow CISOs to compare “apples to apples” when choosing and implementing Zero Trust solutions. Removing some of the complexity allows CISOs to secure digital services regardless of where and how network resources are accessed. These standards ultimately helps the industry achieve interoperability while still allowing competitive differentiation.

In much the same way that enterprise network usage conditions and practices have forever changed, enterprise security is changing too. Zero Trust is helping to create a new mode of thinking around security architecture and defensive measures defined around user identity and context.

Getting this evolution right is important because it brings us that much closer to a future in which identity—like networks, data, and applications before it—will become more decentralized. Web 3.0 promises the benefits of blockchain technology for uses like Decentralized IDs (DIDs), giving greater control to users to establish the details of their identities and define the rules for how their private data can be shared, and which companies and applications can subscribe to engage with them.

Authentication and authorization through Zero Trust is the key to unlocking contextual enterprise access in a world where the old boundaries are quickly disappearing. As it turns out, trusting no one is the best way to help everyone, and MEF’s work will help simplify and reduce the complexity of deploying and managing Zero Trust.

Featured

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • The Progress of Biometrics

  • Next-Gen AI for Smart Cities

    The future of smart city technology is not being shaped in Silicon Valley — it is taking root in Dubuque, Iowa. With a population of about 60,000, this mid-sized city has become a live testbed for AI-driven traffic management thanks to a unique public-private collaboration led by Milestone Systems. Project Hafnia demonstrates how cities can transform urban mobility and safety through Responsible Technology—without costly infrastructure overhauls. Read Now

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.