The Cyber Ecosystem

The world of enterprise cybersecurity is racing toward zero, and the reasons are almost too numerous to count, but we need to make sure this migration doesn’t get bogged down in ecosystem challenges.

“Zero” in this case refers to Zero Trust security architectures built for an era in which everyone is using all kinds of devices from everywhere to access all kinds of applications, but also in which it is difficult to prove anyone is who they say they are. The answer, many believe, is to adopt cybersecurity practices that lead with the fundamental notion of not trusting anyone or anything.

This drastically simplifies security by treating all users, all devices, networks, applications and locations with the same essential sense of caution. Yet, Zero Trust makes the whole business of accessing enterprise resources and managing that access much more complicated.

An Insecure World
The movement toward Zero Trust is the result of several factors, some of which have been apparent for many years. The need for greater cybersecurity protection is inextricably linked to the nature of the evolving and increasing number of threats enterprises face. These threats aren’t just from malicious individuals or groups anymore, but also from state-sponsored attacks aimed at crippling entire industries or governments.

These threats on their own could be enough reason to embrace a new cybersecurity philosophy, but other trends are piling up to force the issue. The ongoing transition to cloud networking and the transformation of software into services are putting the old notion of private networks to rest, as resources, data, and applications live outside the physical walls of the corporate office.

Meanwhile, the number and variety of devices—not only PCs, phones, and tablets, but also the Internet of Things, including automated machines and AI-enabled systems—that need to be connected to enterprise networks and systems continue to expand. In this age, a “user” isn’t always human, but it can be hard to tell the difference.

At the same time, wireless devices with increasingly powerful compute and memory capabilities, along with higher-speed wireless networks, have made it easier for people to connect from almost anywhere and fully access all applications at a high level of quality, collaborating and sharing files with colleagues who also could be working from anywhere.

It all adds up to a world in which traditional network and security boundaries no longer apply. The network edge is vanishing. Usage is no longer centralized in a single-location or corporate LAN where it can be assumed users are already authorized to be there, can be trusted. The threats, attack vectors, and combinations of user and device variables continue to broaden, creating a historically difficult challenge for CISOs.

Zero Trust, Much Complexity
As those factors are spreading beyond the cybersecurity ecosystem’s ability to contain them, new thinking is taking root: Trust no one and treat all users and usage scenarios as potential threats.

That’s what Zero Trust does. For example, a service using Zero Trust employs policies for both “Subject Actors” and “Target Actors” to determine if the Subject Actor is permitted to access the Target Actor and if the latter is willing to accept access from the former. It is important to remember that in a Zero Trust scenario, all interactions are assumed to be malicious, and therefore are locked unless authorized by a policy. If no policy exists for a Subject Actor, that user, application and/or device will be blocked.

A service enforces Zero Trust policies at Policy End Points, which are placed by the service provider where appropriate for a given service, such as within the Subject Actor’s device; the Target Actor, when under control of the service subscriber; or on another networking device such as an SD-WAN Edge Ethernet switch or Wi-Fi access point.

Service subscribers define Access Control Policies that allow Subject Actors to perform operations on a set of Target Actors. An Access Control Policy encompasses both human-readable and machine-readable policy assertions. Identity Management (IdM) systems provided by the Subscriber or a third-party Identity Provider (IdP) may manage the Actor’s identity and those of its delegates. Different Access Control (AC) mechanisms may be used while performing authentication, authorization, accounting and auditing (AAAA) of the Actor and its delegates.

Once authenticated, the service continuously monitors authenticated Subject Actors for policy compliance. When found to be non-compliant, the service reevaluates policies for Actors that may result in a different policy action, such as the Subject Actor being blocked. The service also could reevaluate a policy based on different types of triggers, including context-based, such as blocking a Subject Actor after 30 minutes; event-based, as in the case of blocking a Subject Actor if the Target Actor is found to have been compromised by malware; or data-driven, e.g., a Subject Actor is blocked because machine learning has picked up an anomalous pattern of behavior.

That whole process makes managing Zero Trust a constant challenge. The price of better protection is greater complexity, and other ecosystem challenges add to that complexity.

The Zero Trust concept is decades old, but enterprises have begun to embrace it only recently, finally recognizing that security should be a top priority, and increasing their security spending. Research firm Gartner expected that more than $150 billion would be spent last year on information security and risk management technology.

Technology vendors and service providers are doing the same, investing in new products to support Zero Trust and Secure Access Service Edge (SASE) architectures, which incorporate Zero Trust policies and functions.

However, the fragmented vendor ecosystem is adding even more complexity to the extant challenges of deploying Zero Trust. Many vendors talk past one another, generating market confusion about SASE and Zero Trust definitions and capabilities. Enterprise buyers are forced to compare apples to oranges, often ending up with an accumulation of multiple overlapping products that are complex to integrate and manage. This lack of common language and APIs between systems is one of the biggest pain points for enterprise CISOs.

Zeroing In on Answers
MEF is creating SASE (MEF W117) and Zero Trust (MEF W118) service standards to provide the industry with common language and definitions, which will allow CISOs to compare “apples to apples” when choosing and implementing Zero Trust solutions. Removing some of the complexity allows CISOs to secure digital services regardless of where and how network resources are accessed. These standards ultimately helps the industry achieve interoperability while still allowing competitive differentiation.

In much the same way that enterprise network usage conditions and practices have forever changed, enterprise security is changing too. Zero Trust is helping to create a new mode of thinking around security architecture and defensive measures defined around user identity and context.

Getting this evolution right is important because it brings us that much closer to a future in which identity—like networks, data, and applications before it—will become more decentralized. Web 3.0 promises the benefits of blockchain technology for uses like Decentralized IDs (DIDs), giving greater control to users to establish the details of their identities and define the rules for how their private data can be shared, and which companies and applications can subscribe to engage with them.

Authentication and authorization through Zero Trust is the key to unlocking contextual enterprise access in a world where the old boundaries are quickly disappearing. As it turns out, trusting no one is the best way to help everyone, and MEF’s work will help simplify and reduce the complexity of deploying and managing Zero Trust.

Featured

  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • 91 Percent of Security Leaders Believe AI Set to Outpace Security Teams

    Bugcrowd recently released its “Inside the Mind of a CISO” report, which surveyed hundreds of security leaders around the globe to uncover their perception on AI threats, their top priorities and evolving roles, and common myths directed towards the CISO. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3