Video conferencing & Zero Trust security: Why should you care?

Learn how Zero Trust (ZT) is shaping the future of data security and how to optimize your ZT environment with Pexip.

Contents

  • What is Zero Trust?
  • The way things have been: Perimeter-centric security
  • The way things will be: Data-centric security
  • How does Zero Trust work?
  • Data confidence and dynamic risk assessment
  • Next generation data security

Joel Bilheimer

Strategic Account Architect
Pexip

Kevin Davis, ZTX-S

Principal Consultant
Advantage Engineering

We’ve all heard the buzz around the virtual water cooler that Zero Trust Architectures are The Next Big Thing in network security, but what do we really know about them? And, perhaps more relevant to our discussion today, why should you care?

Ultra-secure-meetings

This white paper looks at how and why Zero Trust (ZT) defines a data-centric security model and what that means in a real-time production environment. We build on that conversation to take a deeper look at how Pexip's video conferencing platform integrates with your existing ZT strategy and can even give you some new ZT concept ideas to consider.

Smart

What is Zero Trust?

The biggest challenge we face in implementing Zero Trust is simply coming to an agreement on what ZT encompasses. The easiest way to answer this question is to describe first what ZT isn’t; then we can start to discern what it is and, potentially, what it can be. At its core, Zero Trust is a cybersecurity framework. Now, I’m not John Kindervag by any stretch of the imagination, but the general idea of ZT is to upend the assumptions behind traditional data security and see where those assumptions lead you.

The way things have been: Perimeter-centric security

Traditional security is based on the notion that “they” are “out there”, and “we” need to protect ourselves and our data “in here.” As a result, cybersecurity has historically focused extensively on defining and defending the perimeter, by which we mean the boundary between the known and the unknown, or that which is “trusted” and that which is “untrusted". Critically, as we shall see, this is illusory, as the notion of “trust” is a human concept and not one that has a place in enterprise information security. Even the nomenclature of networks (e.g., firewalls, demilitarized zones, gateways, gatekeepers) implies that there is a right side and wrong side of the network boundary, with our precious systems and data surrounded by barriers that keep it all safe.

zero trust perimeter centric security

 

There are two main problems with the traditional perimeter-centric network approach from a security perspective. First, if we focus all our resources on establishing external barriers while ignoring similar protections internally, then it only takes one crack in the dyke for our data protection levee to break.

Second, it turns out that blithely ignoring half of each public network transaction – for example, assuming all outbound traffic is valid – essentially guarantees that when (not if) your system is breached, the bad guys will have free reign to do whatever they want … in many cases, without you even knowing that they’re doing it. Phishing is one example of an “insider threat” that has proven extremely difficult to combat under traditional network security concepts. (I myself have clicked on those links, as I know you have, too.)

By focusing so much energy on hardening the perimeter, cybersecurity architects over the years have committed two cardinal sins.

For one, we haven’t achieved the actual core objective of protecting our data’s Confidentiality, Integrity, and Availability (the “C-I-A Triad”). If we had, “data breach” wouldn’t be a household term, and there would be no need for Zero Trust. Additionally, and perhaps even more critically, this approach has made legitimate cross-boundary uses much harder to implement, especially for video collaboration traffic.

As you well know, video architects and engineers have endured this environment for decades, and we have all experienced its negative operational impacts. Up until now, however, we have all been led to believe that perimeter data restrictions are necessary structural limitations in service of the greater good of protecting the network.

This is a fundamentally false assumption.

It's okay. We can fix it.

IT-admin-office-2-web-2

The way things will be: Data-centric security

In contrast to the perimeter-centric threat model, Zero Trust Architecture focuses on inherent qualities of data. It’s not the case that ZT ignores the perimeter, but in a world where your data can be anywhere at any time, zonal trust is an outdated concept. The fact is, if you are defending the perimeter, you must be right all the time, every time – but the attackers have to be right only once. Furthermore, the main attack threats emanate from the inside of your organization anyway, which you basically can’t defend under perimeter-centric security. Those are long odds on which to build your entire network security plan.

To combat this problem, ZT holds two key principles that transgress hoary network security norms but that prove extremely powerful. First, ZT assumes, point blank, that the bad guys are already in your network. “But,” I hear you saying, “my network security is fantastic, and only government and healthcare cares about that stuff anyway. We’re too small for [REDACTED] to care about us.” Well, first off, I’m betting that your existing security isn’t as good as you believe it to be, and as for the second point, that false sense of security has allowed both nation-state attacks such as Stuxnet and more commonly accessible tools such as Mirai to be wildly successful.

Secondly, ZT also recognizes that the impact of a breach is not about how the bad guys got in, but what data they were able to see and export while they were there.

In essence, it doesn’t matter if someone can penetrate your system, because the only thing that matters is whether they can impact the C-I-A of your data. ZT creates structures and policies that prevent infiltration (which, again, we assume has already happened) from becoming exfiltration. By deploying a deny-any policy (meaning that, by default, no traffic or data is permitted to flow in any direction on any segment), and only then identifying specifically authorized data actions, ZT ensures that only approved and authorized traffic ever moves through an organization’s networks, either internally or across a boundary. From this perspective, it doesn’t matter if a microphone array or VoIP system gets hacked, for example, as long as the audiovisual data which that system provides can only ever travel to those internal destinations you approve. Ultimately, you can, and will, live with inbound breaches under ZT, because they will essentially have no impact on your operations.

How does Zero Trust work?

The first building block of Zero Trust is known as microsegmentation. Traditional security assumes that all traffic is valid within a given network segment and focuses on authorizing or restricting which segments can communicate with others. Microsegmentation implements a more...

zero trust concept

Want to continue reading?

Get answers about:

  • How Zero Trust works
  • Data confidence and dynamic risk assessment
  • Next generation data security

Download your free copy of the white paper now!