Thanks, NSA!
Ransomware gangs saw a record year last year, extorting a mind-numbing $1.1 billion in payments from victims, according to findings from Chainanalysis. As concerning as it is, the success of today’s ransomware attackers is no surprise. The attack surface continues to expand and widen at an alarming rate, fueled by hyperconnectivity and IT complexity, and organizations across industries – but especially those in critical sectors like healthcare – are regularly finding themselves caught flat-footed when ransomware attacks do occur.
Visibility, containment and operational consistency are a few of the core tenets I’ve long believed are necessary for achieving a robust and lasting Zero Trust architectures.
To that end, I’m incredibly excited that the National Security Agency has released a new Cybersecurity Information Sheet, “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar,” – which highlights and reaffirms an important but often overlooked component of Zero Trust: segmentation.
The NSA is setting a new Zero Trust benchmark for the industry
As the original creator of Zero Trust and the Chief Evangelist at Illumio, a company specializing in containment and the prevention of lateral movement across networks and hybrid IT environments via Zero Trust Segmentation, this document is particularly exciting for several reasons.
First, this document reaffirms the value of network security technologies in establishing any Zero Trust environment. Over the past few years, there has been a pronounced emphasis on the Identity Pillar of Zero Trust. Although it’s an integral pillar, the apparent focus on identity has led to very few organizations understanding the importance of network security controls in building Zero Trust environments, both on-premise and in various clouds.
In fact, in the second Zero Trust report ever written, “Build Security into your Network’s DNA” back in November of 2010, I wrote this: “…new ways of segmenting networks must be created because all future networks need to be segmented by default.”
That said, I've long believed that segmentation is how we create Protect Surfaces – the fundamental concept of Zero Trust. Identity is telemetry we consume in creating access policy to the Protect Surface. It's gratifying to see segmentation finally getting the attention it deserves. In fact, Gartner predicts less than 5% of enterprises have segmentation today, which will be up to 60% in the next 3 years.
As the attack surface widens and expands, and the digital landscape becomes increasingly interconnected, the segmentation of the network and hybrid environments becomes paramount for organizations to build resilience and establish a true and lasting Zero Trust architecture.
Recommended by LinkedIn
The power of data-flow mapping
One of the other things I'd like to give kudos to the NSA for is their call out of “Data Flow Mapping” in this Information Sheet. I’ve been advocating for flow mapping since the early days of Zero Trust, when I learned that we must first understand how a system works together to build out successfully and architect Zero Trust environments.
Back in 2022, I was honored to be appointed to serve on President Biden’s National Security Telecommunications Advisory Committee subcommittee, where I was a part of authoring and delivering a report on Zero Trust to the President. This report documents the 5-Step Model I have been promoting for several years, with Step 2 focused entirely on Transaction Flow Mapping.
When you understand how flows work, you can build a Zero Trust environment more easily.
Segmentation is needed now more than ever
In short, I’m a firm believer that this NSA guidance will greatly help various organizations worldwide more easily understand the value of the network pillar of Zero Trust.
Practitioners usually start with the identity pillar of Zero Trust and they never make it to the Network Pillar. But it’s an integral part of Zero Trust! Securing the network is Zero Trust!
For organizations grappling with ransomware, Zero Trust Segmentation is a powerful tool for stopping ransomware attacks from being successful and bringing essential services to a halt. Like this latest attack causing widespread outages in healthcare, today’s reality is that ransomware has the potential to uproot our everyday lives.
As more of the world gets connected and the attack surface expands, it becomes even more essential for organizations to define, map and secure the most important Protect Surfaces in their Zero Trust environments accordingly.
Again, kudos to the NSA. This document is an important industry validator of the power and purpose of segmentation, and a highly visible NorthStar as more organizations look to shore up their cyber resilience in the face of rising attacks.
Founder @ MetaCert | Building the first major upgrade to internet security in 20 years | First impersonated at AOL, 1996 | SMS Security Expert. Patents licensed by most leading tech companies for mobile app security.
11moI look forward to the day when security companies shift from the flawed threat model for anti-phishing to a Zero Trust approach for URIs and web requests. Until we adopt Zero Trust URL authentication, all other Zero Trust strategies are rendered less effective (I’m being kind with my words). This is why most attacks involve phishing, most phishing involves URIs, and most URIs contain random characters. There’s no way for a human or AI to know if a given URI is safe or dangerous. With the ongoing surge of phishing-led attacks since 1996, we also ensure that authorized users are not tricked into authorizing themselves on fake websites. We need to ensure they only access authorized web resources. FIDO is excellent but not scalable in the near future and is designed only for login pages—not for other web resources like malicious downloads. I believe this is a single chokepoint for a massive percentage of all attacks. SMS is trending towards the number 1 spot for threat vectors. Yet, not a single security company in the world is offering any kind of solution for telecom carriers. Why could that be? I believe it’s because the efficacy of any SMS security can be tested with a single message, using a regular SIM.
Head of Business Technology & Automation Engineering at BILL
12moJohn, Incredible! 👍
Zero Trust Adviser | CISSP, CCSP, CSSLP, ITIL, PMP, ZTX-S, CCZT
1yVery good work
Just curious and playing devils advocate. What would your response be to a company that says evaluating physical security measures, installing more properly configured Palo Alto firewalls, DMZ zones, doing network segmentation through subnetting while developing and enforcing a new group policy is too expensive. Are there government subsidies for small businesses that are able to meet these requirements? By the way, thanks for sharing, great article.