Matt Poulton, General Manager & Vice President EMEA and APJ at the cyber risk platform Forescout Technologies, discusses how public sector organisations can build a Zero Trust framework to mitigate internal and external cyber attacks.
The public sector holds vast data amounts of data. It really is the crown jewels of information due to the integral role it plays in day-to-day life. It’s a prestigious cyber target.
From January to August 2022, UK councils experienced 2.3 million cyberattacks, averaging 10,000 a day and equating to a total pay-out of £10m. Many public sector organisations lack the internal resources to keep pace with the ever-changing threat and, understandably, they would prefer to focus on delivering frontline services. In addition, budget constraints make cybersecurity even more of a challenge.
New demands on public sector IT environments require increased cybersecurity maturity. The shift to cloud has rendered traditional approaches to security, using trusted IP addresses and perimeter firewalls, obsolete. Zero Trust has emerged as an alternative, transforming the security mindset so that every transaction, piece of data, device and individual is viewed as suspicious and potentially hostile. Everyone and everything is guilty, until proven innocent.
In light of this shift, the Department for Digital, Culture, Media and Sport worked in collaboration with the National Cyber Security Centre (NCSC) last year to create guidelines for implementing Zero Trust architecture throughout the sector. However, these remain just guidelines, unsupported by legislation or mandatory regulations. Unwinding legacy security processes and changing strategies is no easy feat, but when implemented properly the benefits can outweigh the challenges. So, how can the public sector embrace Zero Trust to mitigate cyber threats?
Identify all possible points of attack
In order to benefit from Zero Trust, public sector bodies first need to understand their IT networks and the potential attack surface. Traditional IT network security trusts anyone and anything inside the network. So, as a first step, public sector bodies need to carry out an audit across the entirety of their digital assets, including hardware and software, to determine value and vulnerability.
The audit will reveal two things. Firstly, it will highlight sensitive data, critical applications and services, and physical assets that appeal to threat actors. Secondly, it will identify weak points, which if left unchecked, could act as a revolving door for attackers. Identifying vulnerable infiltration and movement points early on enables public sector bodies to put reinforcing security measures in place when designing their Zero Trust architecture, such as access policies.
Implement controls around network traffic
The way traffic flows through a network will often pivot on the dependencies each system uses. For example, many public sector systems need to access a database holding customer or service information. Data therefore moves around the network constantly, between devices, applications and assets. When looking at how to implement Zero Trust, it’s essential to understand this data flow. Where does the data originate from? Where does it end up? What’s its purpose and who is using it?
To identify which data flows should and shouldn’t be trusted, public sector bodies need to know which ones are vital to their operations. Only once this has been mapped, and the permitted data flows identified, can an organisation invoke the Zero Trust approach to block everything else. In other words, rolling out a Zero Trust architecture essentially forms road blockers in the network to only allow legitimate data flows through. By building network controls that set the rules to determine which flows are allowed and which are not, it prevents attackers from moving laterally between network pockets.
Establish boundaries to determine access
Adopting Zero Trust architecture confirms the boundaries of what should and shouldn’t be allowed. In Zero Trust design, policy hygiene is everything. Through cementing non-negotiable policies, organisations are able to construct strong authentication models and form internal processes to take on access decisions. For example, adopting a who, what, where, when, why and how approach can assist in building a policy, user, service or device profile. A profile achieved through the confirmation of questions like who the users are, what applications they need to access and why, as well as how they connect to the network, creates a strong level of security. In turn, this profile informs IT systems as to whether access can be given.
Carry out an architecture MoT
Once policies and controls are in place, monitoring becomes the next priority. Public sector bodies must continually look inwards, and as we do with cars, carry out a regular MOT to ensure the network controls are operating as they should. Networks expand all the time, with new devices, users and applications. As a result, it’s imperative that organisations continuously observe the network for anomalies that could indicate new intrusions, and proactively adapt policies. Only through continued review can public sector bodies ensure their Zero Trust architecture matches the evolving sophistication of threat actors and their attack methods.
The public sector is a key target for cyber criminals. Without intervention, its vulnerability to attacks is set to increase as its reliance on digital practices rise. However, through embedding Zero Trust in its design, public sector bodies can limit the movements of attackers or even shut them out entirely, creating a more secure network.
