Three steps to implementing Zero Trust in a legacy environment
Once hacked, forever wary. After all, trust is the easiest thing in the world to lose, and the hardest thing to get back. This is certainly true in today’s turbulent security landscape.
Cybersecurity has been marked as an area of particular concern by governments across the world. Data published by the UK’s Department for Digital, Culture, Media and Sport revealed that, in March 2022, nearly a third of firms were suffering from a cyberattack hit every week. What’s the answer? To protect your organisation against the most dangerous threats, you need to build a Zero Trust approach to security.
This approach is wide-ranging and involves being always inherently suspicious of all users.
Weak foundations
This comes with some big challenges, not least of which is a legacy IT environment. In the past, most security models were built like a castle and a moat: The entrance to your castle was heavily fortified under the assumption everything within that boundary was safe. The same concept applies to firewalls. It means that once someone is cleared to enter your system, they do not have to be continuously challenged to go about their business. The obvious problem with this security model is that if hackers can find their way into your castle undetected, they can wreak havoc.
One of the largest scale examples of this Trojan Horse-style attack was the 2020 hacking of major software company SolarWinds. Hackers targeted a third party with access to SolarWinds’ system and entered through the backdoor by impersonating users. Once inside, the hackers injected malware into the platform, and compromised the data of more than 18,000 devices with devastating consequences. Events like this have unsurprisingly prompted a swift shift in mindset when it comes to cybersecurity: Trust no one, or Zero Trust.
Benefits, and challenges
The benefits to taking a Zero Trust approach are clear. If you assume every piece of software is not trustworthy and you oblige users to prove they are authorised to access the software every single time, the risk of hacking becomes negligible in comparison. While it might involve a marginal decrease in performance, and marginal increase in load, the time taken to carry out these checks is only fractionally longer than not doing them at all. And it is well-worth the risks it mitigates.
However, there remains at least one significant hurdle that you have to address before Zero Trust can be effectively adopted across the board – legacy systems. Years of rapid digital transformation have left many IT systems straining under the weight of new technology they can no longer comfortably manage. The financial services industry – much like most other technology-reliant sectors – is operating on legacy systems that prevent them from transitioning towards a Zero Trust approach.
Technologies like middleware and mainframes were not designed with a Zero Trust approach in mind. They struggle to cope with the model, partly because they rely on a relatively long-lived session. This is not compatible with the speed and asynchronous way that requests need to be sent to an API.
Three ways to achieve Zero Trust
I see three ways to address the challenge of implementing a Zero Trust approach, while dealing with the challenges of legacy IT.
1. Prepare to be hacked
Adapt your security approach to include circumstances where hackers have gained access to the system. And, as mentioned, this will involve challenging users at every stage inside the system.
2. Address the problem at the source
Teach developers how to write code with a built-in Zero Trust approach at the start. If you are devising your security approach around pen testing (penetration testing) and hoping this covers vulnerabilities, you will be sadly mistaken. In the modern security landscape, this is far too simplistic an approach to cyber security and cannot protect firms from the sophisticated and targeted attacks of cyber criminals.
3. Rethink your software architecture
It’s clear that legacy technologies are holding businesses back when it comes to increasing operational resilience and efficiencies. But the troubling reality is that they also make you more vulnerable to cyber-attacks because your systems cannot cope with the adoption of more resilient security models. As cyber threats continue to proliferate, you need to urgently address the security approaches that are no longer fit for purpose. You will need to adopt a new model that can better protect your business and customers.
Security incident and event monitoring (SIEM) technology is part of the answer. Log Analytics from ITRS can play a huge part in helping you take that visibility and security one step further by integrating with your existing monitoring solutions, improving logging visibility, correlation, reporting and alerting – for businesses of any scale.
This article originally appeared in The Stack.