Stuck on zero trust? DNS might have an answer
- Published: Friday, 30 September 2022 07:45
Organizations taking an ‘all or nothing’ zero trust often find that they struggle to implement it effectively, especially when it comes to application access control. Chris Buijs explains why integrating DNS into the zero trust framework can help.
Working practices have become far more flexible over the last few years as more firms embrace remote and hybrid models. Recent research commissioned by EfficientIP found that just under half of businesses have fully accepted these working models as standard practice.
However, this flexibility comes at the cost of increased complexity - and complexity is the sworn enemy of security. Almost all respondents to the research anticipated challenges in implementing hybrid work, with network complexity being a major factor. 66 percent of respondents stated that they had medium or low satisfaction when it came to managing complexity and security.
The zero trust model has emerged as one of the most popular approaches for regaining control of increasingly complex networks and securing remote connections. Nevertheless, implementing zero trust can present its own challenges if the model used doesn’t provide enough fine-grained control.
The problem with ‘all or nothing’ zero trust
In recent times, zero trust has occupied an increasingly large chunk of IT security budgets and most organizations anticipate spending more over the year ahead. Organizations have usually focused their efforts on securing endpoints and remote connections to ensure that compromised user profiles and devices are prevented from accessing critical assets. This frequently results in an on/off approach facilitated through scanning the endpoint device’s environment. If a user or device is deemed unsafe, it is completely cut off from the network with no granular, in-between option. This can be very disruptive for legitimate users, essentially leaving them unable to do anything productive until the issue is resolved.
So, organizations need a more fine-grained approach that works on a per application basis. This means that if a user fails to authenticate for a particular system, they are only disconnected from that system and can still access other assets if the requirements are met. This is particularly useful for remote workers, as it means they can continue to access applications and assets with lower security ratings until the issue is remediated. At the same time, the security team can still implement the ’big hammer’ option to immediately cut off and quarantine the endpoint if the anomalies are confirmed.
The Domain Name System (DNS) infrastructure is a key enabler or facilitator of any network transaction but often overlooked method for achieving a more refined level of control.
How DNS provides more granular control
DNS plays a critical role in connecting endpoint devices to the Internet and enabling them to access online assets, from browsing websites to using cloud-based applications and files. As such, DNS steps in before any other interaction is completed between a machine and anything online. This makes it ideally placed to serve as a first line of defence / defense for monitoring and managing connections.
Integrated into a zero trust framework, DNS can provide valuable insight into what kinds of connection requests are being made. For example, it might become apparent that a particular instance of Office 365 is making unusual queries that fall outside of normal behaviour, indicating a potential malicious actor.
Furthermore, DNS is easier to utilise than many endpoint-focused security methods as everything needed is already there. Many firms get started with the inbuilt DNS tools provided by their Microsoft environment, for example.
The above research found that more than 99 percent of companies already have some form of DNS security in place, although just under half do not use a security solution built into a DNS server to benefit from the added advantages of these solutions, such as data and user protection. Awareness of these options is growing, but adaptation is still low.
The challenges to integrating DNS and zero trust
There are a few challenges that stand in the way of integrating DNS into a zero trust strategy. For one thing, although DNS tools are omnipresent, they were not designed with zero trust in mind. Microsoft’s DNS functionality, for example, is not particularly feature-rich and is somewhat lacking when it comes to logging.
It can also be a struggle to fully get to grips with the capabilities provided by the DNS server, and work out which areas are acceptable, and which are lacking.
Further, refurbing DNS to better fit the needs of zero trust can be a big project because it affects everything in the organization. In many cases, infrastructure will have years of legacy infrastructure to unpick, making it hard to know where to start. Even calculating costs is challenging without first knowing the extent of the project.
Nevertheless, this is true of most major IT projects, and any organization focusing on digital transformation, cloud migration, and zero trust, will already be undergoing these processes. Because most businesses already have it covered by default, DNS makes a good starting point for those feeling stuck – but this service is currently often overlooked for these kinds of projects.
How to start making the most of your DNS
An effective zero trust framework will eventually need both endpoint security and DNS to complement each other. The EfficientIP research found that just under half of firms see private enterprise DNS solutions as a useful method for protecting apps and services while enabling access for remote workers. This adds an extra layer of protection and enriches the key systems making security decisions. DNS analytics can also bolster behavioural threat detection, as well as implementing adaptive counter-measures.
Focusing on making better use of existing DNS capabilities can be a useful first step for organizations just getting started with their zero trust journey. Companies should explore the full functionality of their in-built DNS infrastructure and look to give it a bigger role in securing and managing their environment, by implementing greater client-based application control. From here they can identify its shortcomings and invest in more solutions with richer functionality as needed to strengthen their security posture.
For those businesses already underway with zero trust, DNS can provide a valuable source of information to make better decisions when it comes to security events and make them actionable. This threat intelligence can also help to inform a more proactive approach to security.
Wherever a business is on its zero trust journey, DNS is a powerful tool for both facilitating more granular automated decisions on granting system, user and application access, and more strategic decisions shaping the company’s security policy.
Chris Buijs is Chief Evangelist at EfficientIP.