Article

The missing piece of your network security

Utilizing penetration testing to embrace a ‘never trust, always verify’ approach

May 15, 2023 · Authored by Brian Nichols

Imagine you renovate the exterior of your home with state-of-the-art security doors and windows. Additionally, you install brand new locks on every interior door throughout the house. You’re confident nobody can enter your home, or move about freely within, without you granting them appropriate access.

But what if you never (or rarely) ensure these security measures actually work? You never test whether the exterior doors and windows lock properly, or whether the right keys grant access to the right rooms internally. How do you know if any of these investments or improvements accomplish your goal of home security without actively testing them?

The short answer? You don’t.

The bigger implication—you want to test your security system before someone else does.

As modern networks grow more complex, evolving from legacy networks with clearly defined perimeters, to distributed cloud and even increasingly popular hybrid models, the "trust but verify" principle is quickly (and necessarily) becoming "never trust, always verify." Enter the zero trust security model.

Older, geographically defined network security systems assume that users within its parameters are trustworthy, simply by virtue of their having already made it inside, and are therefore free to move about laterally within the network and access resources as they desire. Not so with the zero trust model, which requires strict and ongoing individual validations before granting user access to each application and requested resource. Operating under a ‘need to know’ approach that assumes no traditional network edge, zero trust models require continuous validation of all requests based on the identity of the resource rather than the perimeter of the network.

The upside? Organizations can maximize the efficacy of their network security by moving from a perimeter-based, single-validation network security system to a resource/identity-based, continuous validation framework built on a zero trust model.

The challenge? Zero trust security is a proven approach to securing modern networks—but it requires thorough testing to ensure its effectiveness.

As your organization implements zero trust principles, the capability to perform robust security testing and validation is vital to ensuring your network security system is operating as intended. The use of penetration testing and vulnerability assessment activities can be used to achieve the following objectives:

• Validate zero trust security features, including configuration, such as web application firewalls and next-generation firewalls
• Utilize penetration testing activities to confirm users are only able to move laterally across the network through continuous validation
• Perform web application tests that generate authenticated and unauthenticated traffic to ensure configurations align with established zero trust principles
• Attempt privilege escalation to determine whether users are able to escalate beyond the principle of least privilege
• Provide insight on real-world situations by emulating advanced user scenarios and behaviors to discover whether zero trust principles are implemented effectively
• Ensure validation mechanisms are configured appropriately by attempting to connect devices to the network

The complexities of modern networks (and the modern workplaces they support) increasingly require a zero trust model to optimize and ensure organizational security. Zero trust models, in turn, increasingly require robust performance and security testing to ensure they’re working as designed. 

And that’s where Baker Tilly comes in. Quite simply, if you can’t test it, you can’t validate it. And if you can’t validate it, you can’t protect it. Whether you’re considering a zero trust model for the first time or are struggling to ensure the efficacy of your current system, our security-by-design approach not only helps to optimize your zero trust security model but test it, continually, before anyone else does.