Amidst ongoing digital transformations across organizations, network infrastructure is a critical concern, posing challenges in lifecycle management and security. Malicious actors are exploiting these vulnerabilities, and companies are paying for it. In 2022, the FBI’s Internet Crime Complaint Center received 800,944 complaints, totaling $10.3 billion in losses. Ransomware attacks are escalating in frequency and complexity, making prevention incredibly challenging.

As companies continue to spend on digital transformation — Gartner estimates global spending will reach $4.6 billion by 2026 — they must also protect themselves. Corporate IT systems are increasingly vulnerable to cybercriminals, who exploit security gaps and deploy intricate attacks to spread ransomware or malware within networks. The gaps left behind are typically authentication or peer-to-peer communication-based, and the most effective way to alleviate these pressures is through zero-trust strategies.

Outdated authentication methods

Almost all corporate networks have gaps that make it nearly impossible to make sure every user and device is authenticated and authorized before connecting to the network.

Outdated authentication methods pose a huge security risk to a company’s network, and many wireless IoT devices aren’t capable of utilizing more advanced authentication methods, like IEEE 802.1x-TLS. Smaller organizations often use pre-shared key (PSK) methods to authenticate users, but unfortunately, PSKs are both easy to share and vulnerable to attacks.

As it pertains to wired networks, secure methods like IEEE 802.1x-TLS are an option, but they bestow a greater workload upon network and security personnel and are especially hard to deploy and consistently manage. For this reason, in most cases, there is no authentication required at all when a user connects a device to the network via an ethernet port; meaning no passwords or secure code is issued to verify whether a user should be permitted access. Wired IoT devices are also exempt from authentication methods and are usually allowed to connect to the network with little or no friction. IoT devices are inherently insecure in nature and coupling them with a lack of secure authentication opens businesses up to a number of cybersecurity vulnerabilities that have already proven to be harmful.

Malware proliferation

When a device is connected to a network, it’s placed into a virtual local area network (VLAN) associated with the port it’s connected to or its device profile. Once a device is in a VLAN, it's allowed to discover other devices in the same VLAN and communicate freely with them. All of these connections make viable and easily accessible entry points for even mediocre cyberattackers. Employee laptops are also compromised regularly through phishing and social engineering tactics. In many instances, one can discover and connect to any device in other VLANs as well, which could prove detrimental if a bad actor makes their way into an organization’s internal network.

Ideally, companies prefer to group devices into smaller VLANs to limit their attack surface area, but this level of VLAN grouping and Layer 2 techniques require copious amounts of time for setup and maintenance. Attempts in the past to reduce the size of Layer 2 VLAN domains through a variety of methods have proven unsuccessful and can even cause headaches for IT teams.

For these reasons, many organizations are investing in detection solutions. Since they are unable to prevent an attack from occurring, companies often experience tradeoffs because these tools don’t immediately detect malware and ransomware; they usually detect it before it becomes a “major issue.”

The solution: zero trust

The key to mitigating these risks is implementing a zero-trust framework that eliminates the gaps in an organization’s security structure where attackers can easily gain access across their network. Zero trust is a necessary step toward reducing attack surface area and bolstering security natively within the network. This can be achieved through the following: zero-trust access, isolation, and network.

Zero-trust access ensures every user and device is authenticated and authorized before providing any access and continuously authorizes the user to avoid any spoofing of the user’s identity. This access must be consistently implemented for both wired and wireless devices. To provide zero-trust access, networks can also support multi-authentication methods across both wired and wireless, to MAC authentication bypass (MAB), wired SSO, and PSK-SSO where needed.

Zero-trust isolation completely isolates every user and device from every other user and device on the network, preventing any communication between them unless the security policy expressly permits a particular device, application, and type of communication. In zero-trust isolation, each connection is isolated from the device and the traffic is directly sent to the firewall or a micro-segmentation policy engine. This prevents any lateral east-west movement of traffic and, thus, eliminates the possibility for malware proliferation. Such policies can be established within a fully automated network as a service (NaaS) solution with no need for constant monitoring or can be implemented through a micro-segmentation policy engine.

A zero-trust network also ensures that every element within the network — not just users and devices — is authenticated through mutual trust access control to prevent rogue insertion. Communication between all wired and wireless devices across the network is encrypted through an end-to-end built-in MACsec, including IEEE 802.1AE, preventing bad actors from accessing the network.

These zero-trust models give organizations the capability to not only stop threat actors from spreading ransomware laterally across the network but also to support current prevention and detection solutions. Such a framework allows companies to detect vulnerabilities early and act quickly, mitigating the possibility of these gaps leading to a breach.

In the case of many small to medium-sized enterprises, network security has always been characterized by tradeoffs, as stronger security is often associated with higher costs, increased complexity, and constant maintenance for IT personnel. The majority of today’s solutions lack the necessary capabilities to securely add users and IoT devices to wired and wireless networks. However, if these security risks aren’t addressed, attackers can use these vulnerabilities to spread malware to take control of other devices, thus gaining more permissions and allowing them to stay connected to the network as long as possible.

Suresh Katukam is the chief product officer and co-founder of Nile. He has over 20 years of leadership experience across engineering, product management, business development, and M&A. He has co-authored technology standards, published AI research papers, and has 40 patents in networking and security. Katukam has an M.B.A. from the Anderson School of Management, UCLA, an M.S. in C.S. from Arizona State University, and a B.S. in computer science from BITS, Pilani, India.