Zero Trust in public service? The new security architecture to hinder state actors (Guest blog by HashiCorp)
A decade after the introduction of Cloud First, adoption is accelerating with departments and authorities moving services and infrastructure to the cloud.
At the same time, however, the National Cyber Security Centre recorded a 30% increase in cyber attacks with assaults on infrastructure growing in number and severity.
The shift to cloud has rendered traditional approaches to security – using trusted IP addresses and perimeter firewalls – obsolete.
Zero Trust has emerged as an alternative. Zero Trust transforms the security mindset – viewing every transaction, data packet, and individual as suspicious and potentially hostile. It piqued the interest of CIOs and CSOs and saw the National Cyber Security Centre publish its recommendations on ways to implement Zero Trust.
Companies and cloud providers across the tech sector have claimed to offer a range of Zero Trust products or services but Zero Trust isn’t an out-of-the-box system. Effective Zero Trust requires a foundation architecture that’s open and interoperable.
Cloud has seen public services running on a complex technology infrastructure – fast-moving environments constructed using containers and virtual machines that are rapidly built up and torn down. They share and re-use IP addresses making it difficult to trust or manage them while the volume of IP-assigned traffic has exploded.
The network perimeter – the other bastion of the traditional security model – has crumbled. Cloud services do not run inside a single secure data center, but rather, in different data centers, likely from more than one provider, making services difficult to protect. Additionally, employees and citizens with different security clearance and access privileges are connecting remotely through a fleet of devices.
It’s not only exceedingly complex to implement a system of security founded on the principle trusted IP addresses in such a dynamic environment - it demands a skilled IT team with plenty of experience, too, But if a user's credentials are stolen or their device is compromised, the underlying IP address can’t be trusted and each mention must be removed from all references in the entire ecosystem.
Attackers know this and they have adapted: for example, the Psyra ransomware used against Hackney Council could have been activated using a combination of different techniques – phishing, brute-force attack or remote desktop protocol. Effective response demands a security system that operates at a fundamental level.
This is vital because the paralysis that resulted from Psyra is exactly the kind of outcome state actors seek: data breaches, website and service attacks that take down services, telecommunications and supply chains to disrupt service and spread disinformation for financial or political reasons.
Identify and authenticate
The challenge for those in the public sector is that the resources and strategic efforts are often dedicated towards their organisation’s mission - public service. Technology and security can become subsumed or overlooked as SimSpace’s Ross Brewer noted commenting on the recent UK schools’ hack. Security in such settings can be a response to events or partisan commercial advice - such as investment in two-factor authentication or secure remote access.
As Hackney noted, it had invested “heavily in modern technology and cloud-based services” before the attack and been complacent.
Security means implementing Zero Trust at a strategic level, which is a huge task and that requires the heads of IT and security to collaborate as peers.
Zero Trust works because it lets organisations master infrastructure complexity and a matrix of threats using one approach. That approach is founded on the fundamental unit of identity - of each device and user - to determine their access to systems and services with that identity authorised and authenticated.
What does this look like in practice?
First, it means the IT and CSO work to identify risks and gaps. A common outcome of this in other sectors has been to round up secrets such as tokens, passwords, certificates and encryption keys scattered across the infrastructure and to secure and manage them centrally. This not only prevents these assets falling into the hands of hackers but also provides the basis of a system to manage identity based access and issue assets like cryptographically signed certificates.
Taking operational advantage of this means codifying the authorisation and access policies built around these secrets using open APIs. This is important for two reasons: first, it allows machines and people to discover services and connect securely regardless of individual cloud providers. Second, IT teams can manage the authorisation and access lifecycle: as infrastructure changes with new, modified or retired services, dependencies will change. Code-level policy gives the flexibility to adapt.
Underpinning this automation. Manual processes cannot keep pace with the dynamic nature and complexity of the multi-vendor cloud. CIOs and CSOs must therefore work on rolling out automation for IT to apply and enforce policies at the scale required. Combined with a catalog of applications this lets their IT teams set routing rules for access and authorisation.
Vulnerability not guaranteed
Cyber attacks are growing and evolving but vulnerability need not be the default with cloud. Secure operations mean policing access at its most fundamental level - identity. Making that work takes verification and authorisation at scale. Welcome to Zero Trust.