Good Things Happen when Network Engineers Internalize Spider-Man's Mantra

I'm a big fan of comic books and the superheroes that they depict. From Marvel to DC Comics and from Ironman to Superman, the good guys represent truth, justice, and doing the right thing even through difficult circumstances. Perhaps my favorite comic book character is Spider-Man, whose Uncle Ben teaches us that "with great power comes great responsibility." So how does this apply to network engineers and network operations teams and their increasingly crucial role in enabling the business?

The network is the backbone of any digital business. For engineers responsible for that network, being given administrator-level privileges capable of making real-time changes to network and security devices is a very high honor. Accepting such a privileged account, one that allows updates to configurations, security settings, and policies associated with routers, switches, and firewalls, comes with a great responsibility. The lifeblood of the business depends on those changes being done correctly.

To honor those privileges, network engineers must be able to operate in a way that allows for the least amount of risk and the highest amount of efficiency. For instance, changes should be made from a secure jump box, logged and stored securely in an immutable record that can be audited for compliance reasons, and restricted so that administrators only have the permissions they need to get their jobs done.

If you think this sounds a lot like a

Zero Trust

approach to network operations, you’re right. And the timing couldn’t be better.

Zero Trust is a cybersecurity paradigm that has been discussed for years and has now reached a tipping point.

According to John Watts

, a vice president analyst at Gartner, Zero Trust is moving from hype to reality with over 60% of organizations predicted to embrace Zero Trust as a starting place for security by 2025. And

The State of Zero Trust Security 2023

report finds that the number of organizations with a defined Zero Trust initiative in place has reached 61%, far exceeding those who are still in the planning stages.

Zero Trust requires a shift in focus from static, network-based perimeter defenses to users, assets, and resources. Instead of implicitly trusting these entities, risk and trust levels are continuously assessed based on identity and context. This is part of what

Zero Trust Network Operations

is about – giving your NetOps team a methodology for conducting business in such a way that lowers risk and enhances your ability to solve problems rapidly without introducing new issues or heightening security risk.

Bringing Zero Trust to NetOps

Organizations have already embraced complementary capabilities applicable to other users that require network access. Companies such as Portnox enable

Zero Trust Network Access

(ZTNA) at the user level, locking down what users can do on the network. Credential vault providers like Beyond Trust and CyberArk provide privileged access management, meaning oversight and management of admin-level access to servers and compute environments. The missing components are privileged access management systems and methodologies for network teams to access network management systems, control systems, and the network and security devices themselves. Given the evolving set of cybersecurity conditions at the network layer, it's time to bring privileged access management to the part of the IT infrastructure that NetOps is responsible for.

Zero Trust Network Operations supports and extends the Zero Trust Network Access framework by enabling key controls around owned and controlled network and security devices to constantly assess risk and Trust for devices and network administrators. These controls inform policy, ensure compliance with internal and industry best practices, enable management and visibility of networking device vulnerabilities, and provide logging and auditing of operational changes to devices and configurations.

An example from the trenches

No matter how secure you try to make your network, if you don't manage privileged access and instead allow administrators to access network assets and make changes in an insecure and unaudited way, your entire network is at risk.

The risks are not just due to mistakes – typos, misconfigurations, or other changes that unintentionally create a ripple effect of instability in other parts of the network. Malicious behavior is also a risk. I have personal experience working for a very large service provider that had to terminate one of its senior network engineers. Before the company was able to decommission his access, he was able to get into the network from home, lock them out of all their core routers, and demand a ransom. Looking back now, I can't help but think that if there had been a centralized way to manage privileged access and decommission his access quickly and comprehensively, the situation could have been avoided. In this case, we were able to thwart the disgruntled employee's efforts, but it took many expensive experts quite a lot of time to get it done, and in the meantime, the service provider was exposed to quite a lot of risk.

This may sound like an extreme example, but similarly, if a laptop is stolen and an unauthorized user manages to bypass security measures and ultimately access your core firewalls, any number of activities could happen without your knowledge that expose your organization to risk. A

Zero Trust approach

to manage privileged access can limit the scope of access to begin with, allows for quick lockout and reset of admin-level access, and enables you to audit for and remediate compromising activity.

Uncle Ben was right. With great power comes great responsibility. But that responsibility doesn't have to be a burden. We can bring the same concepts applied to managing user-level access to the network and managing admin-level access to servers and compute environments to managing administrator-level privileges for your NetOps team. As the keepers of the network, their seats of power rise. Making sure they can operate with the least amount of risk and the highest amount of efficiency is critically important.

Josh Stephens is the CTO of BackBox.

Related articles: