Phil Muncaster asks how endpoint security can bolster multi-year zero trust projects What do Google, Microsoft and the White House have in common? They’re all big fans of zero trust. Despite being over a decade old, the security approach first described by analyst firm Forrester is finally gaining serious momentum thanks to buy-in from some of the tech world’s biggest vendors and a new federal government mandate. As organizations’ attack surfaces expand due to huge COVID-era investments in digital transformation, zero trust is increasingly being embraced as a way to level the playing field with agile, determined adversaries. A new Forrester report sponsored by HP explains how organizations can begin their zero trust journey by putting endpoint security front-and-center of their plans. A New Era As companies adapt to a new era of hybrid working, CISOs are struggling with an explosion of devices that require access to corporate data outside of the traditional perimeter. Attackers have become experts at finding ways into these expansive new computing environments, often using stolen or brute-forced credentials for access and then staying hidden by using legitimate tooling for lateral movement. Home devices used for work represent a particularly acute challenge. The Forrester report finds that less than two-thirds (64%) of organizations secure such devices. At the same time, threat actors are able to tap a vast cybercrime economy for tooling, stolen credentials and knowledge. The impact of these trends is clear: Forrester claims that over a third (34%) of organizations have experienced a data breach from lateral movement or a home worker’s device. In the US, the volume of publicly recorded breaches soared to record highs in 2021. Starting at the Endpoint Zero trust offers a strategy to mitigate cyber-risk in this new post-pandemic era. It’s based on a notion of “never trust, always verify,” which assumes the organization has already been breached and requires the deployment of continuous monitoring, network segmentation and least privilege policies to minimize attack impact. According to the US government, it should be built around five pillars: identity, devices, networks, applications and data. Respondents to the report agree that such an approach could address the spread of ransomware between devices, tackle third-party risks and mitigate lateral movement and ‘island hopping.’

“Zero trust plays an important role in enabling higher productivity through the elimination of cumbersome passwords, the replacement of VPNs and the consolidation of performance-draining security agents on devices” David Holmes, Forrester

Although all layers are important, securing the endpoint environment is increasingly key to any zero trust strategy, according to SANS Institute senior instructor Ismael Valenzuela. “As networks become more opaque due to the use of end-to-end encryption, and applications move to the public cloud, endpoint security takes a more central role. It’s often said that in zero trust, identity is the new perimeter. In this model, identity is not only who you are, and what permissions and rights are associated with your role, but also what device you are using, and what’s the context around that device,” he tells Infosecurity. “Since most users often use multiple devices, much of this context needs to come from multiple protection and detection sensors implemented across these devices, reporting to centralized visibility and analytics platforms. Also, implementing key zero trust strategies, like attack surface reduction, privilege access management and reducing the ability of attackers to maneuver or move laterally in an organization, requires strong endpoint security capabilities.” It’s good news, therefore, that most (85%) respondents to the Forrester report say that improving endpoint security is a high or critical priority over the coming 12 months. Building Security by Design According to Forrester, zero trust can help prevent and detect data breaches and enhance the user experience and build a more solid corporate security culture. In fact, it’s a view echoed in another report from the analyst. Senior analyst, David Holmes, tells Infosecurity that employees are more likely to be engaged if they feel their company is forward-thinking and innovative. “They’re also more engaged when, in addition to necessary mobile technologies, they have devices and apps that perform well and can easily authenticate to the services they need,” he adds. “Zero trust plays an important role in enabling higher productivity through the elimination of cumbersome passwords, the replacement of VPNs and the consolidation of performance-draining security agents on devices.” Security teams also benefit by reducing their toil on administrative security tasks and freeing up more time to prevent and detect high-priority intrusions. Two-fifths (40%) of survey respondents also claim zero trust has helped them gain increased stakeholder buy-in, reduce compliance costs and drive enterprise-wide agility. How to Get There Yet to get it right, zero trust will require a significant investment of time and resources. Among the biggest internal barriers that respondents highlight are a lack of executive buy-in and simply not knowing where to start.

"It’s often said that in zero trust, identity is the new perimeter. In this model, identity is not only who you are, and what permissions and rights are associated with your role, but also what device you are using, and what’s the context around that device" Ismael Valenzuela, SANS Institute