Zero trust was born out of the critical need to modernize an outdated IT architecture, which assumes that all of an organization’s assets – and those attached to them – must be implicitly trusted. Since CISA released its mature business model – and the decision to align cyber programs with the White House’s Zero Trust strategy – it has been the subject of significant hype, with NVIDIA being the most recent to Embrace zero-trust security in data centers. But are organizations adopting too quickly, creating more security risks instead of mitigating them?
The guiding principles of zero trust require users to continually re-authenticate themselves by leveraging network segmentation, preventing lateral movement, and adopting “least access” policies. Aside from recent adoption by major players, the benefits have been underscored over the past few years as the global industry undergoes a massive transition. Cloud adoption, remote and distributed workforces, and the growing digital footprint of organizations have led to an increase in decentralized assets, which poses a huge challenge for cybersecurity teams.
From this change arise several issues – first, zero trust policies can only be applied to assets that an organization knows are there. It also challenges status quo cybersecurity practices. While there are clear zero-trust guidelines for managing and deploying new nodes on IT systems, there is no clear definition on how to revoke an asset or service. This is a weak point for modern cybersecurity infrastructure and represents a huge risk as organizations continue to grow their digital footprint, as it is incredibly easy for teams to lose track of new or pre-existing assets. .
To complicate matters further, the cybersecurity industry‘s response to emerging threats is to invent and adopt a new tool (AV to protect endpoints, FW for network, SIEM system for alert, etc. ), leaving CISOs and CSOs with an arsenal of cybersecurity instruments that require them to employ large teams of responders and auditors and, in some cases, could leave them more exposed to attacks than protected.
A common thread connects each of these challenges: knowing the state of your external attack surface. EASM is Stage 0 of any effective Zero Trust Architecture system – here’s why you can’t have one without the other.
Unknown assets are game changers for the industry
Zero trust can only protect what it is aware of. Before deploying this strategy, organizations should be thorough in identifying their most critical assets. Everything from infrastructure, applications, services, vendors – including those of all subsidiaries – must be meticulously cataloged before launching a zero-trust policy to protect them. Users should also be counted as most will have full or partial access to internal systems. In particular, the developer-centric approach adopted by many organizations means that it has become considerably easier to create new products or deploy services for testing or development purposes. This only increases digital footprints and maximizes the number of unknown assets a business has to deal with.
Organizations have the choice to apply any security architecture to support IT networks, but without knowing what to protect at all times, huge security gaps remain. Unknown assets are proving to be a major concern for businesses around the world. Recently, a Reposify report revealed that 97% of the top 35 cybersecurity companies and their more than 350 subsidiaries hosted vulnerable assets in the AWS Cloud.
What does a thorough zero-trust strategy look like?
Once organizations have taken the critical step of mapping their assets, it is essential to then track growing digital footprints with 24/7 real-time visibility. Unknown assets are dynamic and constantly changing (for example, pop cloud instances and development instances); EASM takes the guesswork out of asset management and provides insight into an organization’s current asset inventory, tackling critical issues facing cybersecurity teams: human error and unmanaged deployment/configuration data .
There are three main asset categories that any zero-trust strategy must consider, all of which are critically supported by EASM: users, applications, and infrastructure. As users continue to shift to remote or home-working environments, it’s important to know who has access to what systems and how they access them (e.g. corporate laptop or home computer) . Now, cybersecurity teams can cross-reference the number of remote employees against the number of unique access requests per day to identify potential risk areas and protect systems from malicious actors.
While zero trust enables secure communications in the office, EASM can help reflect what is exposed in real time and provide a clear list of external applications, remote user connections, and identified network infrastructure. CISOs can now cross-reference this information with that generated on internal systems to confirm its legitimacy, as well as take into account geolocation information that may be abnormal for your system.
Finally, infrastructure – like routers, switches, cloud, IoT, and supply chain systems – can be securely monitored. While zero trust is deployed on all known sources, EASM will continuously generate a list of exposed external ports and computer systems that cybersecurity teams need to manage.
Removing implicit trust is just the start – there’s more to modernize
Just as zero trust modernized the “implicit trust” approach, so will the management of the external attack surface for general management of all external exposures. Zero trust disrupts the implicit trust between communication nodes in a decentralized system. Any new nodes must be updated to the latest security profile, and strict onboarding policies are in place to comply with the existing zero-trust network. However, if a node needs to be moved or revoked, there is often little or no monitoring and security protocol in place to ensure that the network’s external attack surface remains secure. As an organization grows, it’s easy for these abandoned resources to get lost in the mess and turn into vulnerable, high-risk gateways that attackers can exploit. EASM provides IT teams with robust solutions that can prevent risk to their organization down the line.
Additionally, the cybersecurity industry’s response to emerging threats is to add a new tool that, if left unaddressed, can make computer systems more vulnerable to attack than protected. General management of security systems needs to be streamlined — EASM can support this process. For example, EASM could replace several other solutions. It’s not a magic bullet; but it can give CISOs intuitive, detailed, actionable, and time-sensitive insight into the steps to take to enforce a strong cybersecurity posture.
Manage digital growth securely with EASM and zero trust
Because it provides robust and actionable insight into the state of any organization’s external attack surface, EASM is the first step in any comprehensive zero-trust strategy. The large number of unknown assets in circulation has highlighted the need for the cybersecurity industry to create best practices to offload communication nodes and prevent them from becoming vulnerable to attacks. Thorough mapping of an external attack surface can help streamline cybersecurity protocol for CISOs and reduce the number of unknown assets overall.