Matt Poulton, General Manager & Vice President EMEA & APJ at Forescout Technologies, discusses how public sector organisations can build a Zero Trust framework to mitigate internal and external cyberattacks
Without a doubt, the public sector safeguards a vast amount of critical data, serving as the central hub for indispensable information that is necessary for daily life. As a result, it’s a prime target for cyber threats.
In fact, in an eight-month period from January 2022, UK councils experienced 2.3 million cyberattacks, averaging 10,000 a day and equating to a total pay-out of £10 million[1].
Many public sector organisations lack the internal resources to keep pace with the ever-changing threat, and understandably, they would prefer to focus on delivering frontline services.
In addition, budget constraints make cybersecurity even more of a challenge.
New demands on public sector IT environments require increased cybersecurity maturity.
The shift to the cloud has rendered traditional approaches to security obsolete
The shift to the cloud has rendered traditional approaches to security, using trusted IP addresses and perimeter firewalls, obsolete.
Zero Trust has emerged as an alternative, transforming the security mindset so that every transaction, piece of data, device and individual is viewed as suspicious and potentially hostile. Everyone and everything is guilty until proven innocent.
As a result of this shift, the Department for Digital, Culture, Media and Sport worked in collaboration with the National Cyber Security Centre last year to create guidelines for implementing Zero Trust architecture throughout the sector[2].
However, these remain just guidelines, unsupported by legislation or mandatory regulations.
Untwisting legacy security processes and changing strategies is no easy feat, but when implemented properly, the benefits can outweigh the challenges. So, how can the public sector embrace Zero Trust to mitigate cyber threats?
Locating vulnerabilities is half the battle
To benefit from Zero Trust, public sector bodies first need to understand their IT networks and the potential attack surface. Traditional IT network security trusts anyone and anything inside the network.
So, as a first step, public sector bodies need to carry out an audit across the entirety of their digital assets, including hardware and software, to determine value and vulnerability.
The audit will reveal two things. Firstly, it will highlight sensitive data, critical applications and services, and physical assets that appeal to threat actors. Secondly, it will identify weak points, which, if left unchecked, could act as a revolving door for attackers.
Identifying vulnerable infiltration and movement points early on enables public sector bodies to put reinforcing security measures in place when designing their Zero Trust architecture, such as access policies.
Establish network checkpoints
The way traffic flows through a network will often pivot on the dependencies each system uses. For example, many public sector systems need to access a database holding customer or service information.
Data, therefore, moves around the network constantly, between devices, applications, and assets. When looking at how to implement Zero Trust, it’s essential to understand this data flow. Where does the data originate from? Where does it end up? What’s its purpose, and who is using it?
To identify which data flows should and shouldn’t be trusted, public sector bodies need to know which ones are vital to their operations. Only once this has been mapped and the permitted data flows identified can an organisation invoke the Zero Trust approach to block everything else.
In other words, rolling out a Zero Trust architecture forms road blockers in the network to only allow legitimate data flow through. By building network controls that set the rules to determine which flows are allowed and which are not, it prevents attackers from moving laterally between network pockets.
Develop policies that determine access
Embracing Zero Trust architecture confirms the boundaries of what should and shouldn’t be allowed. In Zero Trust design, policy hygiene is everything.
Through cementing non-negotiable policies, organisations are able to construct strong authentication models and form internal processes to take on access decisions[3].
For example, adopting a who, what, where, when, why and how the approach can assist in building a policy, user, service or device profile.
A profile achieved through the confirmation of questions like who the users are, what applications they need to access and why, as well as how they connect to the network, creates a strong level of security. In turn, this profile informs IT systems as to whether access can be given.
Re-evaluate your network architecture
Once policies and controls are in place, monitoring becomes the next priority. Public sector bodies must continually look inwards and, as we do with cars, carry out a regular MOT to ensure the network controls are operating as they should.
‘It’s imperative that organisations continuously observe the network for anomalies’
Networks expand all the time with new devices, users, and applications. As a result, it’s imperative that organisations continuously observe the network for anomalies that could indicate new intrusions and proactively adapt policies.
Only through continued review can public sector bodies ensure their Zero Trust architecture matches the evolving sophistication of threat actors and their attack methods.
We have repeatedly seen that the public sector is a prime target for cybercriminals. If left unattended, its vulnerability to attacks will only increase as its reliance on digital processes grows. But this doesn’t need to be the case.
By embedding Zero Trust into its DNA, public sector bodies can prevent the movement of attackers or even lock them out completely, establishing an increasingly secure network.
1. https://www.openaccessgovernment.org/public-sector-data-under-real-threat-from- cybercriminals/147375/#:~:text=A%20recent%20Freedom%20of%20Information,cyberattacks%20year%2Don%2Dyear
2. https://www.ncsc.gov.uk/collection/zero-trust-architecture
3. https://www.ncsc.gov.uk/collection/zero-trust-architecture/authenticate-and-authorise
This piece was written and provided by Matt Poulton, General Manager & Vice President EMEA & APJ at Forescout Technologies