Adam Brady, Director of Systems Engineering at Illumio, tells Technology Reseller it is time for regulators to take a harder line on cybersecurity
Is this the year when Zero Trust Segmentation moves from a recommendation to a required control? Adam Brady, Director of Systems Engineering at Illumio, certainly hopes so and is calling on legislators to take a tougher approach in their cybersecurity advisories and mandates.
Illumio addresses two aspects of security – visibility and Zero Trust Segmentation. Together, they enable businesses to better understand their IT infrastructure and the relationships between different parts (visibility) and then contain breaches by preventing the lateral movement of an attack or ransomware across the network from, say, a compromised mobile device to high value applications or servers containing critical data (Zero Trust Segmentation).
“Default deny was the term we used before Zero Trust came along,” explains Brady. “Now we use the term Zero Trust Segmentation because it’s a subset of Zero Trust. Zero Trust is account access, it’s machine access on the network, it’s network access; it’s various different things. We absolutely don’t do all of those things, but we do focus on the segmentation aspects of Zero Trust. That’s where we come in.
“Our general posture is ‘let’s assume a breach is going to occur, how do we configure our systems in such a way that those impacts are less and fewer?’. If, instead of open network access, we set things up so machine A cannot talk to machine B unless it really has to that
very much prevents those breaches from spreading. Everything is denied by default.”
Illumio customers tend to be organisations with high IP or high value applications that need to be protected for business and/or compliance purposes – large enterprises, financial services companies, SaaS companies, big retailers, manufacturing companies and the like.
“If you’re a large company, attackers are always looking to breach your defences for ransomware purposes, for theft of IP, for the actual removal of money from systems and to prevent those systems from functioning. Those businesses use us because it’s now assumed and understood that you can’t prevent breaches. If you’ve got 100,000 machines or workloads or endpoint devices, the chances of one of those being compromised at some point is basically 100%, and you have to be pragmatic about that. That’s where we come into play, preventing that movement across from that first device,” explains Brady.
In 2022, Illumio saw implementation of its products extend further across customers’ IT infrastructure into their endpoint estates and the cloud. It also saw rapid growth of its ‘segmentation- as-a-service’ offering for MSPs, as the transition from prevention and detection to breach containment continued.
“A few years ago, the talk was very much around ‘let’s put things in place to protect our business and assume that they’ve been successful’. We then moved to the detection phase: ‘OK, we’ve put these things in place; we now need to focus a little on whether they’re successful or not’. Now we’re moving beyond that and assuming that even if we have those things in place, there will be breaches.”
US, UK and EU legislators are moving towards Zero Trust in their advisories and industry-specific guidance in response to the number, scale and impact of breaches and ransomware, but Brady would like to see much more detail and stronger mandates.
“The government isn’t specific enough about how to configure things and we see a little reticence in how they apply fines, how they apply mandates. It’s often advisory and not mandated. We see that in things like the NIST directive where you’ll be fined if you are breached and found not to have put things in place from a security perspective. It should be stronger. You should be unable to do business unless you have those things in place because the chances of you being breached are extremely high. We’ve seen some updates to advisories in the past few months that go in that direction. But there’s room to be stronger.”
Brady adds that businesses need to be more rigorous, especially when it comes to compliance with SWIFT, PCI, NIST and other standards.
“Compliance is often a tick box exercise, but it should be done for security reasons. There’s a danger that if you have a really high-level shortlist of things to do and things to put in place that isn’t specific enough and doesn’t have eyes-on auditing of the implementation you’ll assume you’re safe and secure when actually a breach is just as likely to occur because of the configuration or the detail of how something’s been put in place.
“That’s something I focus on when I’m talking to customers – ‘So yes, put this in place and let’s really focus on how it’s built, how its configured. Let’s review that frequently. Let’s look at how your business evolves over time. Have you pen-tested your network after putting that in place? What’s the change in your security posture and your security at that point in time?’”
The good news, Brady suggests, is that improving your security posture is within reach of any business.
“There are one or two low-level Zero Trust-type things you can put in place if you’ve got any infrastructure at all, just in terms of good hygiene and security practice. The basics are account access – that’s one of the big pillars – and Zero Trust network access. They are the first two things you should look at from a Zero Trust perspective and both of those things are potentially less about the cost of software, the cost of implementation and more about how the network is configured and trying to apply some best practice . It doesn’t have to cost the earth to put these things in place.”
Be First to Comment