Information security higher on the agenda
For both Inholland and Breda University of Applied Sciences (BUas), the ransomware attack at Maastricht University in late 2019 was an important reason to look at information security differently. Tom Daniëls of BUas: "Information security was of course already an issue with us, but it suddenly got a lot higher on the agenda: I had the board on the phone, there was a budget. Changes I already had in mind, I could now actually implement."
Developments also gained momentum at Inholland. Raymond Kales: "We first looked for best practices in the sector: how do other companies tackle it, what advice does the NCSC offer, and so on. As part of that, we conducted a red-teaming exercise, simulating an attack on our systems. Based on these actions, we decided to apply the zero trust approach to our network and the applications running there."
Zero trust: never trust, always verify
Zero trust is based on the "never trust, always verify" principle. You don't (any longer) assume that everything that happens behind the firewall is safe: you treat every request, even within your network, as if it comes from a source that cannot be trusted. "Even my own laptop I don't trust, so to speak," says Tom.
Micro-segmentation is an important concrete measure implemented by both Inholland and BUas. Previously, their networks were divided into a number of rather large zones. Once an attacker had access to a zone, he had all the space within it to cause damage. Now there are many more and much smaller zones, which are well protected from each other.
Tom gives an example: "We used to have a VLAN that contained all management interfaces, including administrators' laptops. We have solved that differently now." Raymond adds: "We also identify all traffic in the network. You used to trust traffic within a certain zone, now we always want to know which traffic goes where, and between which ports."
"Even my own laptop I don't trust, so to speak."
Tighter account management
One measure closely related to micro-segmentation is better account management. Raymond: "That is much tighter in our case now. We don't have admin accounts that give access to everything. People are given rights for a specific task they have to perform on the network (account tiering), often for a limited period of time (just-in-time privileges). Furthermore, we apply multi-factor authentication to many accounts, which also makes unauthorised access to the network more difficult."
24/7 monitoring and tracking of incidents
In addition to these measures, Inholland has set up a 24/7 monitoring and follow-up service. They outsource this to a party that detects suspicious situations and can act accordingly, for example by blocking an account or isolating a server. BUas recently took up SURF's SURFsoc/SIEM service, which has a similar function. "It's very nice that we now have an early-warning system," says Tom. "I wish we had got into SURFsoc/SIEM earlier."
Tom and Raymond have some tips for institutions thinking about getting started with zero trust. Tom's main tip is to make sure you have a mandate from the board. "At some parts of BUas, quite a few things have changed because of the new approach. That sometimes caused angry people at my desk who could no longer do things because access to a certain part of the network was better protected. In such cases, it is important to have the support of your board of directors."
"But everyone, including the board, sees the importance of a solid approach to information security and that is essential."
Aim for the stars
Also very important: set the bar high, because it will automatically lower due to the rapid developments in cybercrime and cybersecurity. Raymond: "Aim for the stars! Design well and stick to the principles you set up."
Explain the measures
For support within the organisation, it is important to explain changes well, Tom believes. "Then people sometimes still find it difficult, but then they are more likely to understand." Raymond agrees: "We see that colleagues fully support the new way of working, but they have to get used to it. For example, administrators have to define much more explicitly which traffic is allowed to pass through which port between different servers. They have to be aware of that, otherwise it won't work. You have to pay attention to these kinds of aspects."
Implement changes gradually
What helps with this is to implement changes gradually. Tom: "Then you have better control of the new situation. For example, we switched from unmanaged to centrally managed laptops all at once. There was quite a bit of resistance to this, for example because some older applications suddenly stopped working. It would have been better to test this change on a small user group first. That is why it is good to first introduce a new working method or application in your own department. Then you learn to work with it and experience the consequences. You can then avoid the first user frustrations."
"Measures like micro-segmentation and tight account management give me peace of mind. It allows you to pinpoint problems in your network much better
Zero trust gives peace of mind
So how do you tell if you are reaping benefits from the zero trust approach? That is difficult to indicate, because you don't know what incidents you have prevented, says Raymond. "But everyone, including the board, sees the importance of a solid approach to information security and that is essential."
"It's true that you don't see concrete results," agrees Tom. "But I do know that measures like micro-segmentation and tight account management give me peace of mind. You can pinpoint problems in your network much better, which also means you don't risk having to shut down all systems in case of an incident. So zero trust makes me sleep a lot better."
text: Jan Michielsen