Keep Devices and Applications from Talking When Unnecessary
The third pillar of zero-trust architecture is segmentation, McCarthy says.
“If Server A has no need to ever cross a network and connect to Server B, don’t let it. Don’t give it a reason,” McCarthy says. “What if that server had ransomware on it and was trying to expose the rest of your network to it? If Server A doesn’t need to talk to B, then don’t ever let it talk to B. Create that little bubble around it, and let it know only about itself and what its job is. It’s a lot of work to set up your network that way. But once you get it there, it lets you sleep a lot better at night because you assume that everything will be a little bit more protected.”
The fourth and final pillar of a zero-trust architecture is the principle of least privilege, McCarthy says.
“Implement least privilege across your network. It’s really explicit trust. Create explicit trust everywhere, remove implicit trust. If an application doesn’t need to talk to another application, if a server doesn’t need to talk to an application, don’t let it,” he says. “Build your network on the idea that nothing is trusted, and then slowly add in what’s going on. That helps you a lot if you get hit by something, because then you’ll be able to see more quickly what the pieces are that are talking to each other. You don’t have to have everybody pointing fingers at each other. So, in general, Zscaler is doing those things across much of their platform for us.”
Augment Traditional Security Measures to Achieve Zero Trust
CDW Field CISO John Candillo endorses a zero-trust approach to cybersecurity for state government agencies. He says traditional security measures such as a username and password should no longer be considered adequate for government security.
“From a government agency perspective, the reason the government is pushing a zero-trust architecture is to move away from the legacy ideas that you can build a perimeter defense mechanism and trust what access people have if they’re inside that perimeter,” Candillo says.
“For a long time, we’ve made assumptions that are prone to error and get us into trouble,” he adds. “We assume that if you have the username and password, you are who you say you are, and you should have access. That’s a problematic assumption.”
Agencies should not rely on usernames and passwords, nor should they implicitly trust known networks or grant access to familiar managed endpoint devices without authentication, Candillo says.
“Such assumptions have gotten us into trouble when those trusts are broken,” he says.