Risk, complexity, and no mistakes ever: the untenable absurdity of legacy security
Apr 12, 2022
This is the seventh commentary in the series “Defining Zero Trust Security.”
Extended threat landscape and lateral movement threat: When the convenience of accessibility is your biggest vulnerability
Legacy hub-and-spoke network architectures are, by design, vulnerable to cyberattack.
Of particular business risk are Virtual Private Network (VPN) extensions to corporate hub-and-spoke networks. Sadly, VPNs have become a knee-jerk response to pandemic-imposed remote-work mandates. Faced with having to enable remote work fast, legacy-infrastructure-burdened organizations had little choice but to force home-bound employees to connect via (vulnerable) VPNs. For some organizations, that meant extending the corporate network (via VPN-based network access) to tens if not hundreds of thousands of remote locations. Those IT administrators suddenly had to secure a network with exponentially more spokes. And VPN solutions promised security. But they didn’t deliver.
Traditional network architectures offer inviting targets for hackers. But it’s the convenience of the access they provide that has led to their structural undoing and security failings. In a hub-and-spoke model, users connect to a network and then traverse the network to their desired destination. Unfortunately, so do hackers.
Colonial Pipeline Co., Equifax, Arizona Beverages—all had perimeter-based security. In response to attacks, many legacy-environment organizations shore up existing barricades. Adding locks to the front door may feel like a constructive act of defense, but it won’t slow down thieves if the windows are left open.
When a cybercriminal breaches a corporate defense -- perhaps by guessing a password, or maybe via stolen credentials -- that hacker can move around the network with impunity, targeting any system or device attached to it. That’s a potent reality of ransomware efficacy: The malware moves through the network capturing systems and encrypting data, enabling the threat group behind the attack to demand ransom for resuscitating crippled operations.
“No one will click that link”: The unsupportable absurdity of hardware-based security management
Traditional castle-and-moat security architectures were never designed for a hybrid way of work mixing on-prem and remote work. Worse, they’re neither secure nor securable. Yet many IT organizations continue to employ them, even though they cannot be effectively managed.
Well-publicized cyberattacks—such as the one against meat-processing company JBS—highlight the legacy castle-and-moat model’s shortcomings. And much of the problem stems from the “all-or-nothing,” single-challenge nature of castle-and-moat network access. Security is only as strong as its weakest point. That vulnerability might be an individual employee responding to a phishing email. It could be a weak password, an exposed IP address, or an overtaxed information technology (IT) department one week behind on hardware security patches.
It’s been said that a hacker need only get lucky once, while vigilant IT security must always be lucky. That illustrates legacy infrastructure’s most absurd expectation: that manual cybersecurity efforts must be perfect. Always. Otherwise, adversaries will pounce. IT leaders can never make a mistake. Nor, for that matter, can employees, who must become experts in recognizing sophisticated social-engineering campaigns such as phishing or spear-phishing lures.
Perhaps the model’s biggest limitation is its lack of security awareness. Information technology (IT) leaders relying on traditional security models often have no way to measure the “secureness” of their environments. In fact, most don’t know that their companies have been hacked until they see evidence (such as ransomed data) in the aftermath of an attack.
“The way we’ve always done it”: inflexible, reactive, and oh-so-expensive
The rationalization justifying enterprise use of hub-and-spoke network architecture with castle-and-moat security is unquestionably outdated, woefully out of touch, and inherently risky. But it’s also utterly untenable.
First, hardware doesn’t scale. IT leaders using appliances for security purposes must buy for a maxim capacity throughput. If data traffic spikes, those IT leaders have no way to increase bandwidth quickly without procuring, installing, testing, and deploying more machines, a process that can take months. Contrast that with the scalable nature of cloud services, which can ramp up capacity to accommodate traffic volumes.
Second, managing appliance-based solutions puts corporate IT leaders in the business of cybersecurity. To protect corporate resources, those same IT leaders must keep up with the armies of threat actors seeking to launch ransomware attacks. Those adversaries are discovering new vulnerabilities every day. And ultimately, with hardware, the corporate castle is only as secure as the last patch. IT leaders clinging to legacy hardware have to ask themselves, is cybersecurity a business we want to be in?
Third, traditional network and security architectures are costly, and only growing more expensive as the corporate workplace evolves. Network architectures require extensive hardware investment, from physical servers to MPLS wiring. Security adds to that. Hardware must be duplicated in branch offices, adding more appliance and MPLS costs. And then there’s maintenance. Each physical machine must be installed, operated, serviced. Often, an IT organization’s most expensive budget line item is technician travel to service distant branch-office security hardware. (Not to mention the productivity hit when downtime occurs.)
 A sobering (and depressing) stat: To enable remote work and preserve some semblance of operational continuity when the 2020 pandemic hit, some 94% of (rather desperate) IT administrators employed VPNs knowing they were vulnerable: Zscaler 2021 VPN Risk Report.
 Contrast that with a zero trust environment, in which a user connects directly to an application or resource, wherever it (or the user) may be located.