Phil Muncaster asks how endpoint security can bolster multi-year zero trust projects
What do Google, Microsoft and the White House have in common? They’re all big fans of zero trust. Despite being over a decade old, the security approach first described by analyst firm Forrester is finally gaining serious momentum thanks to buy-in from some of the tech world’s biggest vendors and a new federal government mandate. As organizations’ attack surfaces expand due to huge COVID-era investments in digital transformation, zero trust is increasingly being embraced as a way to level the playing field with agile, determined adversaries.
A new Forrester report sponsored by HP explains how organizations can begin their zero trust journey by putting endpoint security front-and-center of their plans.
A New Era
As companies adapt to a new era of hybrid working, CISOs are struggling with an explosion of devices that require access to corporate data outside of the traditional perimeter. Attackers have become experts at finding ways into these expansive new computing environments, often using stolen or brute-forced credentials for access and then staying hidden by using legitimate tooling for lateral movement. Home devices used for work represent a particularly acute challenge. The Forrester report finds that less than two-thirds (64%) of organizations secure such devices.
At the same time, threat actors are able to tap a vast cybercrime economy for tooling, stolen credentials and knowledge. The impact of these trends is clear: Forrester claims that over a third (34%) of organizations have experienced a data breach from lateral movement or a home worker’s device. In the US, the volume of publicly recorded breaches soared to record highs in 2021.
Starting at the Endpoint
Zero trust offers a strategy to mitigate cyber-risk in this new post-pandemic era. It’s based on a notion of “never trust, always verify,” which assumes the organization has already been breached and requires the deployment of continuous monitoring, network segmentation and least privilege policies to minimize attack impact. According to the US government, it should be built around five pillars: identity, devices, networks, applications and data. Respondents to the report agree that such an approach could address the spread of ransomware between devices, tackle third-party risks and mitigate lateral movement and ‘island hopping.’
“Zero trust plays an important role in enabling higher productivity through the elimination of cumbersome passwords, the replacement of VPNs and the consolidation of performance-draining security agents on devices”David Holmes, Forrester
Although all layers are important, securing the endpoint environment is increasingly key to any zero trust strategy, according to SANS Institute senior instructor Ismael Valenzuela.
“As networks become more opaque due to the use of end-to-end encryption, and applications move to the public cloud, endpoint security takes a more central role. It’s often said that in zero trust, identity is the new perimeter. In this model, identity is not only who you are, and what permissions and rights are associated with your role, but also what device you are using, and what’s the context around that device,” he tells Infosecurity.
“Since most users often use multiple devices, much of this context needs to come from multiple protection and detection sensors implemented across these devices, reporting to centralized visibility and analytics platforms. Also, implementing key zero trust strategies, like attack surface reduction, privilege access management and reducing the ability of attackers to maneuver or move laterally in an organization, requires strong endpoint security capabilities.”
It’s good news, therefore, that most (85%) respondents to the Forrester report say that improving endpoint security is a high or critical priority over the coming 12 months.
Building Security by Design
According to Forrester, zero trust can help prevent and detect data breaches and enhance the user experience and build a more solid corporate security culture. In fact, it’s a view echoed in another report from the analyst. Senior analyst, David Holmes, tells Infosecurity that employees are more likely to be engaged if they feel their company is forward-thinking and innovative.
“They’re also more engaged when, in addition to necessary mobile technologies, they have devices and apps that perform well and can easily authenticate to the services they need,” he adds. “Zero trust plays an important role in enabling higher productivity through the elimination of cumbersome passwords, the replacement of VPNs and the consolidation of performance-draining security agents on devices.”
Security teams also benefit by reducing their toil on administrative security tasks and freeing up more time to prevent and detect high-priority intrusions. Two-fifths (40%) of survey respondents also claim zero trust has helped them gain increased stakeholder buy-in, reduce compliance costs and drive enterprise-wide agility.
How to Get There
Yet to get it right, zero trust will require a significant investment of time and resources. Among the biggest internal barriers that respondents highlight are a lack of executive buy-in and simply not knowing where to start.
"It’s often said that in zero trust, identity is the new perimeter. In this model, identity is not only who you are, and what permissions and rights are associated with your role, but also what device you are using, and what’s the context around that device"Ismael Valenzuela, SANS Institute
The first challenge can be mitigated if IT leaders secure a C-level champion for their project, according to Forrester’s Holmes.
“The good news here is that due to the recent US government mandates, many organizations no longer have to make the sale up from the bottom; initiatives now being driven from the top,” he adds. “That said, IT leaders still need to identify key zero trust players in their organization and align them with the program. Stakeholders’ concerns need to be addressed and zero trust myths busted. They’ll need to ask questions, actively listen without judgment and build consensus on strategy. It isn’t about begging or telling; it’s about politics and influence.”
For Sans Institute’s Valenzuela, organizations must first ask themselves what problem they’re trying to solve, which means conducting threat modeling based around asset discovery, classification, labeling and security assessments.
“Once these assets are found, it’s important to identify how users access them, map data flows and update users and device inventories, so we can start implementing ‘less trust’ strategies in a gradual way. This information is vital to determine risk, communicate value and obtain upper management buy-in for these projects,” he explains.
“Another piece of advice includes avoiding ‘paralysis by analysis.’ Starting with small wins while planning for bigger and more ambitious changes will help to achieve that.”
Some of these quick wins could include deploying multi-factor authentication (MFA), implementing least-privilege on endpoints and rolling out segmentation at a network and identity layer, Valenzuela adds.
Forrester’s report also cites segmentation – of sensitive data and apps across all employee endpoints – alongside taking a “prevention first” approach to reduce security complexity.
HP’s director of technical marketing for security, Jonathan Gohstand, claims the firm’s micro-virtualization technology can be a key enabler here.
“It uses CPU constructs such as VT-x to contain potentially malicious content in a virtual execution space, with a far smaller attack surface than the native Windows operating system. This approach drastically reduces dependency on detection, response and remediation,” he tells Infosecurity.
“Micro-virtualization at the endpoint is zero trust personified: don’t trust any externally sourced content and execute such content in a hardware-enforced isolated workspace.”
Most important is remembering that zero trust is not a one-off tick box initiative. Organizations must be in it for the long haul and build a roadmap looking at least three to five years out. This will require closer collaboration between traditionally siloed IT operations and security teams, says Forrester.
“We see significant potential in better coordination and planning between endpoint/desktop IT and security,” HP’s Gohstand agrees.
“Numerous capabilities available in business-class PCs deliver ‘win-win’ outcomes, particularly with user productivity, operational efficiency and risk management. Cloud-based modern management, data protection and incident and disaster recovery are all much easier to achieve when these two groups collaborate.”
From the maker of the world's most secure PCs and printers, HP Wolf Security is a new breed of endpoint security. HP's portfolio of hardware-enforced security and endpoint-focused security services is designed to help organizations safeguard PCs, printers and people from circling cyberpredators. HP Wolf Security provides comprehensive endpoint protection and resilience that starts at the hardware level and extends across software and services. For more information, visit www.hp.com/wolf.
*Based on HP’s unique and comprehensive security capabilities at no additional cost among vendors on HP Elite PCs with Windows and 8th Gen and higher Intel® processors or AMD Ryzen™ 4000 processors and higher; HP ProDesk 600 G6 with Intel® 10th Gen and higher processors; and HP ProBook 600 with AMD Ryzen™ 4000 or Intel® 11th Gen processors and higher.
**HP’s most advanced embedded security features are available on HP Enterprise and HP Managed devices with HP FutureSmart firmware 4.5 or above. Claim based on HP review of 2021 published features of competitive in-class printers. Only HP offers a combination of security features to automatically detect, stop, and recover from attacks with a self-healing reboot, in alignment with NIST SP 800-193 guidelines for device cyber resilience. For a list of compatible products, visit: hp.com/go/PrintersThatProtect. For more information, visit: hp.com/go/PrinterSecurityClaims.
***HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details.