By Tertius Wolfaardt, Architecture & Engineering Manager, Axis Communications
Networks are increasingly vulnerable thanks to a combination of sophisticated and numerous cyberattacks amid the exponential growth of the Internet of Things (IoT) and the number of connected devices. Case in point, the Middle East and Africa IoT market is projected to grow to nearly $3.4 trillion by 2030.[1] This is also in the context of increased cybercrime activity in the Middle East region. The UAE alone is forced to deter 50,000 cyberattacks daily, with attacks ranging from ransomware to cyber terrorism.[2]
As a result of this, the concept of a network being isolated within a firewall, or protecting the network perimeter with a single solution, is no longer feasible. The use of cloud-based services beyond networks and the benefits of creating a more ‘permeable’ perimeter – where customer and supplier systems are seamlessly connected, leading to significant improvements in supply chain efficiency – have changed the nature of network security. Therefore, a new approach is needed. One defined by a lack of trust.
Trust nobody and nothing
In a connected landscape, ‘zero trust’ networks and architectures have become the go-to solution. And not just from a physical security and surveillance perspective. According to a recent research report endorsed by the UAE Cyber Security Council, more than half (56%) of cloud security experts in the Middle East named zero trust strategies as their top priority for the next 12 to 18 months.[3],[4]
As the name suggests, the default position in a zero trust network is that no entity connecting to or within the network – whether human or machine – can be trusted, no matter who they are or how they connect. The overriding philosophy of zero trust networks is, ‘never trust, always verify’. This demands that the identity of any entity is verified multiple times in several different ways, depending on behaviour and the sensitivity of specific data in the network being accessed. In other words, a user is granted the least amount of access to fully complete their task.
Zero trust uses techniques such as micro-segmentation – applying varying levels of security to specific parts of the network where more critical data resides – and granular network perimeter security based on users and devices. It also uses factors such as the physical location of devices and other identifying data to determine whether their credentials can be trusted with network access.
Zero trust in practice
What defines a zero trust network? At the heart of it sits policy engines that allow organisations to create, monitor, and enforce rules about network resources and how data can be accessed.
A policy engine uses network analytics and programmed rules to grant role-based permission based on multiple factors. Put simply, the policy engine compares every request for network access and its context to policy, informing the enforcer whether the request will be permitted.
In a zero trust network, the policy engine defines and enforces data security and access policies across hosting models, locations, users, and devices, requiring organisations to carefully define rules and policies within key security controls, such as next-generation firewalls (NGFWs), email and cloud security gateways, and data loss prevention (DLP) software. Together, these controls enforce micro-segmentations beyond hosting models and locations.
Zero trust in video surveillance
Entities connecting to a network include people, of course, but increasingly, most network connections come from devices. This includes network surveillance cameras and associated network-connected devices.
As organisations move towards zero trust network architectures, it will be essential that these video surveillance devices adhere to the principles required for verification. It would be ironic if a device designed to keep the organisation physically secure led to a cybersecurity vulnerability.
Traditional forms of device security may no longer be enough. In the same way that bad actors can steal the access credentials of an employee (the first stage of a credential-based attack), they can compromise the security certificate of devices. In a zero trust network, new approaches are needed for devices to prove their trustworthiness to the network.[5]
For example, blockchain technology can provide an immutable root of trust for connected devices. Though more closely associated with cryptocurrencies, blockchain, as an open, distributed ledger that can record transactions between two parties, can be used for hardware roots of trust and establish trust keys within video surveillance devices.
Zero trust represents the next logical step in building resilient and secure networks. And as organisations in the Middle East connect more devices to more networks, the risk of vulnerability, even from a single weak link in the chain, is compounded. By working with reliable technology vendors and sourcing the right hardware, organisations can put the right kind of trust (or lack thereof) in their surveillance networks.
[1] Middle East & Africa Internet of Things Market Forecast [2030] (fortunebusinessinsights.com)
[2] There are 50,000 cyber-attacks daily in the UAE; here’s how you can help (zawya.com)
[3] The Future of Cloud Security in the Middle East Report Brochure | Cyber Magazine
[4] Zero trust strategies are top cloud security priority in Middle East, report finds (thenationalnews.com)
