Category Archives: Zero Trust

Back to the future: What the Jericho Forum taught us about modern security

Some of the earliest formal work on what we now call Zero Trust started around in a security consortium known as the Jericho Forum (which later merged into The Open Group Security Forum). This started as a group of like-minded CISOs wrestling with the limitations of the dominant and unquestioned philosophy of securing all resources by putting them on a ‘secure’ network behind a security perimeter.

The Jericho Forum promoted a new concept of security called de-perimeterisation that focused on how to protect enterprise data flowing in and out of your enterprise network boundary instead of striving to convince users and the business to keep it on the corporate network. This shift to “secure assets where they are” proved quite prophetic, especially when you consider that the original iPhone didn’t release until 2007 (which triggered the sea change of user preferences shaping enterprise technology decisions that is now just normal).

One CISO: Our network has become a mini-internet

A lot has changed since the days when we knew exactly what is on our network. A CISO of a multinational organization once remarked that its corporate network has become a miniature internet. With hundreds of thousands of devices connected at all hours including many unmanaged devices, the network has lost its ability to create trust for the devices on it. While network controls still have a place in a security strategy, they are no longer the foundation upon which we can build the assurances we need to protect business assets.

In this blog, we will examine how these concepts (captured succinctly in the Jericho® Forum Commandments) have helped shape what has become Zero Trust today, including Microsoft’s Zero Trust vision and technology.

Accepting de-perimeterisation frees security architects and defenders to re-think their approach to securing data. Securing data where it is (vs. artificially confining it to a network) also naturally more aligned to the business and enables the business to securely operate.

Blocking is a blunt instrument

While security folks love the idea of keeping an organization safe by blocking every risk, the real world needs flexible solutions to gracefully handle the grey areas and nuances.

The classic approach of applying security exclusively at the network level limits what context security sees (e.g. what the user/application trying to do at this moment) and usually limits the response options to only blocking or allowing.

This is comparable to a parent filtering content for their children by blocking specific TV channels or entire sites like YouTube. Just like blocking sites in security, the rough grain blocking causes issues when kids need YouTube to do their online classes or find websites and other TV channels with inappropriate content.

We have found that it’s better to offer users a safe path to be productive rather than just blocking a connection or issuing an “access denied.” Microsoft has invested heavily in zero trust to address both the usability and security needs in this grey area

  • Providing easy ways to prove trustworthiness using multi-factor authentication (MFA) and Passwordless authentication that do not repeatedly prompt for validation if risk has not changed as well as hardware security assurances that silently protect their devices.
  • Enabling users to be productive in the grey areas – Users must be productive for their jobs even if they are working from unmanaged networks or unusual locations. Microsoft allows users to increase their trust with MFA prompts and enables organizations to limit or monitor sessions to mitigate risk without blocking productivity.

While it’s tempting to think “but it’s just safer if we block it entirely”, beware of this dangerous fallacy. Users today control how they work and they will find a way to work in a modern way, even if they must use devices and cloud services completely outside the control of IT and security departments. Additionally, attackers are adept at infiltrating approved communication channels that are supposed to be safe (legitimate websites, DNS (Domain Name Servers) traffic, email, etc.).

The Jericho Forum recognized emerging trends that are now simply part of normal daily life. As we make security investments in the future, we must embrace new ways of working, stop confining assets unnaturally to a network they do not belong on, and secure those assets and users where they are and wherever they go.

Learn more about Why Zero Trust. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Back to the future: What the Jericho Forum taught us about modern security appeared first on Microsoft Security.

ISE 3.0 Makes Its Move on the Cloud to Simplify the Zero-Trust Workplace

In 2020 we all learned that the future can hit us at any time. As businesses adapted to new realities on the backs of natural disasters, global health emergencies, and political uncertainty, the network and the digital transformation of doing business moved from a means of thriving to one of sheer survival.

 

As IT accelerated the digital transformation, we were all thrust across the chasm and up the adoption curve with many future-leaning technologies and ways of doing business. Cloud, mobility, and the need to remotely manage their network infrastructure, including Internet of Things (IoT) devices, moved from the roadmap — something we will look into — to something we have to do.

 

To complicate things, these technologies that enable business resiliency are also increasing the attack surface and pushing the boundaries of IT. Security teams were already overwhelmed with a slew of disconnected vendors and products. This added level of complexity isn’t making it any easier to find the attackers hiding within siloed levels of visibility across the distributed network and taking advantage of rushed IT — who are often sacrificing protection and organizational policy in the name of speed and survival. 

 

Business resiliency and agility are why we put our heads down and went to work to build Cisco Identity Services Engine (ISE) 3.0. ISE 3.0 will enable IT teams and businesses to be agile and adapt to changing global macro conditions and minimize business disruptions.

 

“We have been on a journey with gaining visibility into our network. With ISE 3.0 we really have total visibility. We are seeing things we never knew were there. Combining this with stability and improvements makes 3.0 a great release.”

­– Simon Furber, Network and Infrastructure Security Architect, Brunel University

 

 

 Solving more for customers with 3.0:

 

 • To remain agile and build business resiliency, we need zero trust built into our networks. ISE 3.0 closes the gaps of visibility into endpoints with Cisco AI Endpoint Analytics and segmentation as part of Software-Defined Access (SDA). Customers can now leverage machine learning to automate endpoints’ identification and ensure access based on privilege. Read how Adventist Health identified 70% of all endpoints.

 

 • Customers want fast, lightweight security, so we are releasing agentless posture in 3.0, giving IT the freedom to choose between an agent or agentless approach in ensuring that the endpoint is compliant with organizational policy and accelerating zero trust. 

 

 • Where and how customers consume their security has evolved, and to lead in this transition, we are kicking off our cloud-enabled story with ISE deployable from the cloud (AWS). Not only does this simplify the unification of policy across campus and branch, it also enables IT to apply consistent, intelligent policy decisions to any location, from anywhere, extending the zero-trust workplace. 

 

 • And since everyone wants “easy,” we revamped the UI to unleash guided workflows for advanced use cases. To further simplify the user experience for IT and the flexibility of operations, we enabled rich APIs to help simplify ongoing operations.

 

ISE 3.0 is a fantastic milestone to achieve in 2020 and shows that we can all be resilient, adapt, and overcome within global disruptions. I am proud to be not only a leader, but also a member of this amazing team. This team is why ISE is the market share leader and continues to see tremendous growth, with more than 40,000 customers and counting … not to mention the two industry award just this year alone. The traction we are making in the market is key to our overall SDA strategy and will give customers a solid foundation in extending zero trust into the workplace. So stay tuned. We have more in store for you in 2021 as we look to solve for your secure network access challenges.

 

 

To learn more about ISE 3.0, please read this “What’s New in 3.0” at-a-glance. You can find the full release notes here.

The post ISE 3.0 Makes Its Move on the Cloud to Simplify the Zero-Trust Workplace appeared first on Cisco Blogs.

Cisco’s Duo Security launches Trust Monitor to simplify access monitoring

Duo combines human control with ML-driven automation to help safely enable remote work

A modern, zero-trust security architecture ensures that only authorized users using safe devices gain access to corporate applications. However, establishing trust over time, and consistently and continuously monitoring access granted to users, is a challenge for organizations that have had to quickly evolve their access strategy in light of remote work.

That’s why I’m proud to announce the general availability of Duo Trust Monitor, Duo’s machine learning-driven risk detection, starting Thursday, November 19. The feature will be available in Duo Access and Beyond editions.

Duo Trust Monitor analyzes real-time authentication data to create a baseline of normal user behavior at the point of login. Once Duo Trust Monitor observes these access patterns, it surfaces risky logins to help the security team identify suspicious activity and aid in the investigation of compromised accounts.

While many tools on the market rely on simple or static rules, Duo Trust Monitor looks at access patterns more holistically — taking into account extended access history and context between multiple variables, such as device and location.

The visibility Duo Trust Monitor provides, combined with Duo’s expressive policy engine, lies at the center of Cisco’s zero-trust for the workforce strategy – linking risk detection directly to access control.

Duo Trust Monitor - Visibility & Policies between every application, trusted users and trusted devices

When Duo Trust Monitor highlights anomalous activity, this informs better, more tailored policy. For example, if Duo Trust Monitor identifies a suspicious login from a risky location, a Duo administrator can set a geolocation restriction in response. By improving policy in light of anomalous access, Duo Trust Monitor’s events become stronger in signal and enable IT admins to further narrow suspicious access.

While we’re excited to offer this capability via Duo’s administrative console, we’re also proud to provide an open API to integrate with existing processes and workflows, whether our own SecureX platform, or even custom security operations tooling.

For security to scale, it’s important to achieve a balance between control and automation. Purpose-built user behavior analytics will become more common as a cornerstone of a zero-trust security architecture, vs. the generalized approach of simply correlating security events that inundate teams today.

As the industry continues to apply artificial intelligence and machine learning to security, it’s imperative that we reduce work for teams to do through careful design of analytics and automation. Duo Trust Monitor is designed to empower small teams to have a large impact by focusing on the access risks that are specific to their business and enable work from anywhere.

For more information, check out our documentation or reach out to Duo to learn more.

The post Cisco’s Duo Security launches Trust Monitor to simplify access monitoring appeared first on Cisco Blogs.

Announcing the Zero Trust Deployment Center

Organizations have been digitally transforming at warp speed in response to the way businesses operate and how people work. As a result, digital security teams have been under immense pressure to ensure their environments are resilient and secure. Many have turned to a Zero Trust security model to simplify the security challenges from this transformation and the shift to remote work.

Over the past year, we have been hard at work helping customers navigate these challenges by listening to their difficulties, sharing our own learnings, and building controls, tools, and practices that enable the implementation of Zero Trust. However, one of the things we hear most consistently is the need for additional deployment support.

We are excited to announce the launch of the Zero Trust Deployment Center—a repository of information to improve their Zero Trust readiness as well as specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure. The Zero Trust Deployment Center breaks down deployment guidance into plain-language objectives across each of the technology pillars, providing an actionable list of steps needed to implement Zero Trust principles in your environment.

This repository is the perfect place to start planning and deploying your Zero Trust strategy.

A screenshot of the Zero Trust Deployment Center web page

Figure 1:  Zero Trust Deployment Center web page.

If you are already well underway in your journey, these objectives will provide a great framework to help measure your progress and ensure you are meeting critical milestones. If you’re interested in measuring your Zero Trust maturity, we’ve also created a Zero Trust assessment tool to help measure your current maturity and identify possible next milestones and priorities along with technologies.

Learn more about Zero Trust and Microsoft Security. Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Announcing the Zero Trust Deployment Center appeared first on Microsoft Security.