Zero trust was born out of the critical need to modernize outdated IT architecture, which assumes that all assets within an organization – and attached to it – should be implicitly trusted. Since CISA released their Maturing Enterprise Model — and the move to align cyber programs with White House Zero Trust strategy — it’s gained significant buzz, with NVIDIA being the most recent to adopt zero-trust security within data centers. But are organizations too quick to adopt, creating more security risk instead of mitigating it?
The guiding principles of zero trust require users to continuously re-authenticate themselves by leveraging network segmentation, preventing lateral movement and assuming “least access” policies. Recent adoption from big players aside, the benefits have been emphasized in the last several years as global industry undergoes a massive transition. Cloud adoption, remote and distributed workforces and organizations’ growing digital footprints have led to a spike in decentralized assets, posing a massive challenge to cybersecurity teams.
Out of this shift come several problems — first, zero-trust policies can only be applied to assets that an organization knows are there. It’s also calling status quo cybersecurity practices into question. Although there is clear zero-trust guidance for managing and deploying new nodes onto IT systems, there is no clear definition on how to revoke an asset or a service. This is a soft spot for modern cybersecurity infrastructure and represents a huge risk as organizations continue to grow their digital footprint, as it’s incredibly easy for teams to lose track of new or preexisting assets.
To further complicate matters, the cybersecurity industry’s answer to emerging threats is to invent and adopt a new tool (AV to protect endpoints, FW for network, SIEM system for alerting, and more), leaving CISOs and CSOs with an arsenal of cybersecurity instruments that require them to employ large teams of responders and auditors and, in some cases, could leave them more exposed to attack than protected.
A common thread links each of these challenges: knowing the state of your external attack surface. EASM is step 0 for any effective zero-trust architecture system — here’s why you can’t have one without the other.
Unknown assets are an industry game changer
Zero trust can only protect what it’s aware of. Before deploying this strategy, organizations ought to be thorough in identifying their most critical assets. Everything from infrastructure, applications, services, providers — including those of any subsidiary companies — must be meticulously cataloged before launching a zero-trust policy to protect them. Users, too, must be accounted for as most will have full or partial access to internal systems. In particular, the developer-first approach many organizations are taking means it has become considerably easier to build new products or deploy services for testing or development. This only grows digital footprints and maximizes the number of unknown assets a company must contend with.
Organizations have the choice to apply any security architecture to support IT networks — but without knowledge of what to protect on an ongoing basis, huge security gaps remain. Unknown assets are proving to be a main concern for companies globally — recently, a Reposify report found that 97% of the top 35 cybersecurity companies and their 350+ subsidiaries hosted vulnerable assets in AWS cloud.
What does a thorough zero-trust strategy look like?
Once organizations make the critical step to map their assets, it’s essential to then keep track of growing digital footprints with 24/7, real-time visibility. Unknown assets are dynamic and constantly changing (e.g., pop cloud instances and dev instances); EASM takes the guessing game out of asset management and provides insight into an organizations’ ongoing asset inventory, tackling critical problems facing cybersecurity teams: human error and unmanaged deploy/configuration data.
There are three main categories of assets that any zero-trust strategy must take into account, all of which are critically supported by EASM: users, applications and infrastructure. As users continue to transition to remote or at-home work environments, it’s important to keep track of who has access to which systems, and by which means they have access (for example, corporate laptop versus private computer). Now, cybersecurity teams can cross reference the number of remote employees against how many unique access requests in a day to identify potential risk areas and keep systems secure against malicious actors.
While zero trust enables secure communications in-office, EASM can help reflect what is exposed in real time and provide a clear list of external facing applications, users remote connections and network infrastructure identified. CISOs can now cross-reference this information against those generated on internal systems to confirm their legitimacy, as well as consider geo-location information that may be abnormal to your system.
Finally, infrastructure — like routers, switches, cloud, IoT and supply chain systems — can be securely monitored. While zero trust is rolled out against every known source, EASM will continuously generate a list of exposed external ports and IT systems for cybersecurity teams to manage.
Removing implicit trust is just the beginning — there’s more to be modernized
Just as zero trust modernized the “implicit trust” approach, so will external attack surface management for the general management of all external exposure. Zero trust disrupts the implicit trust between communication nodes in a decentralized system. Any new node must be updated with the latest security profile, and stringent onboarding policies are in place to comply with the existing zero-trust network. However, if a node is to be relocated or revoked there is often little to no monitoring and security protocol in place to ensure the network’s external attack surface remains secure. As an organization grows, it’s easy for these abandoned assets to be lost in the shuffle, and mutate into high-risk, vulnerable gateways for attackers to exploit. EASM provides robust solutions to IT teams, which can prevent risks to their organization down the line.
Furthermore, the cybersecurity industry’s answer to emerging threats is to add a new tool, which, if not accounted for, can leave IT systems more vulnerable to attack than protected. The general management of security systems needs to be streamlined — EASM can support this process. For example, EASM could replace multiple other solutions. It’s not a silver bullet; but it can give CISOs intuitive, detailed, actionable and time sensitive insight into what steps need to be taken to enforce a robust cybersecurity posture.
Manage digital growth securely with EASM and zero trust
Because it supplies robust, actionable insight into the state of any organization’s external attack surface, EASM is the first step in any complete zero-trust strategy. The huge number of unknown assets in circulation has emphasized the need for the cybersecurity industry to create best practices for offloading communication nodes and prevent them from becoming vulnerable to attack. Thorough mapping of an external attack surface can help to streamline cybersecurity protocol for CISOs, and reduce the number of unknown assets overall.