SolarWinds attack shows that Zero Trust must be on the CISO’s roadmap
The recent SolarWinds Orion supply chain attack demonstrates that the traditional enterprise security domain is obsolete and arguably has been for a long time. (Read more background )
The attack is particularly concerning because the actor used a sophisticated supply-chain attack to target software intended to centrally monitor and control IT infrastructure (including data centers, clouds, and applications). The targeting of such software means that data owners can no longer assume that data is secure “behind the firewall” (i.e.., the corporate security domain no longer has assurance of trust). An attacker that compromises enterprise IT management software will have a definite advantage, making exploitation easy and eradication by the enterprise owner difficult. So long as the control plane is challenged, CISOs must ensure cybersecurity includes data resilience in any environment it resides in, even within the enterprise security boundary.
The SolarWinds attack is just the beginning. Other network controllers, including SDN, SD-WAN, and other data flow technologies will continue to be attractive targets to Advanced Persistent Threats (APTs). Supply chain vulnerabilities will continue to be an option for effectively bypassing perimeter defense.
At Atos we have long advocated that the enterprise security domain is no longer trustable by definition. In fact, we advocate that data must leave the enterprise to support the organization’s mission. This perspective is opportunistic as media such as cloud and OT/IoT/IIoT provides economic benefits as well as an understanding of universal data resiliency. In this view, Atos envisions Zero Trust as a mission and business enabler, embracing distributed profiles through cloud computing, IoT profile, and business process outsourcing. Ultimately organizations can realize digitalization of their important services for public health, financial management, sound government, and so on.
While Zero Trust must be part of organizations with a mature digital transformation plan, even organizations that have not yet pursued digital transformation cannot delay embarking on the Zero Trust journey. However, as we begin 2021 we must also realize that defensive concerns must be addressed immediately. The organization and its stakeholders – patients, pensioners, citizens, etc. – cannot tolerate delay of the Zero Trust approach for digitalization’s sake. The “barn doors” of the enterprise are visibly open.
The targeting of such software means that data owners can no longer assume that data is secure “behind the firewall”
What Is Zero Trust?
Zero Trust is an approach that is best summed by the concept of “Never Trust, Always Verify” and must progressively be applied to all digital domains and solutions. This means having assurance that data is only being used by entities deliberately authorized to access, gather, transmit, store, and otherwise process it, in accordance with their specified entitlements. This also means that wherever the data exists, demonstrating capabilities for enforcement, awareness, and effective incident response. When applied effectively, Zero Trust is an orchestration of tools, processes, and activities that realize this capability.
Digitalization represents an opportunity to improve services and the experience of healthcare delivery, financial assurance, public services, environmental stewardship, and other stakeholder benefits. The emerging digital landscape will require a high index of data movement and distribution through clouds, devices, and applications. We must embrace data movement beyond the traditional enterprise and insist on data resilience wherever it resides. That means that Zero Trust is necessary for digital transformation. However, the SolarWinds breach soberly reminds us that external and untrusted entities already sit within the organization’s internal enterprise, regardless of whether organizations have embarked on digital transformation. Therefore, in either case, CISOs should explore Zero Trust and apply its principles without delay.
By Dan Schaupner,, Head of Cloud and Innovation, Global Digital Security Consulting
Posted on February 18