Consider this advice to successfully replace a perimeter approach to security with a zero trust framework.
Despite organizations upping their spend on cybersecurity technology, infrastructure, and services each year, threat actors are still finding ways to slip through the cracks. There are two main reasons for this: One, human error: Unfortunately, many users still don’t take security seriously. They’re visiting websites that they shouldn’t, clicking on things that they shouldn’t, and entering credentials in places where they shouldn’t. As a result, their systems, identities, and credentials are becoming compromised, allowing attackers to comfortably walk in through the front door.
Two, attacks on applications: Attackers are going after internet-facing apps and leveraging errors and vulnerabilities in their code. This is because many of these third-party applications enjoy an implicit trust and usually their traffic is not inspected by organizations. The recent MOVEit hack is a great example where attackers leveraged a vulnerability and breached environments of more than 1000 organizations, stealing the records of more than 60 million people.
The castle-and-moat approach to security is obsolete
With more employees working outside the corporate perimeter and accessing data and software-as-a-service (SaaS) applications in the cloud, the traditional castle-and-moat model to cybersecurity is no longer relevant. Moreover, every single organization that’s been exposed to breach has a firewall in place, so a firewall isn’t always effective. Threat actors are now encrypting all the bad stuff and this encrypted traffic is passing right through firewalls using legitimate channels like port 443. Decrypting traffic isn’t always feasible. Legacy firewalls usually lack the capacity or performance to inspect the huge volume of incoming cloud computing traffic. For these reasons, many experts see zero trust as the answer.
Zero-trust implementation recommendations and best practices
In the physical world, if attackers show up to your building and present a valid company-issued ID, they receive blanket access to the building. They can go to any department, look at any room, access all different areas of the building, and leave.
Zero trust is based on the principle that no user, application, or device should be implicitly trusted. This means that if attackers show up at your building, their identity is verified in each of the rooms and departments they visit and not just at the front door. The US government has now mandated that all government agencies and contractors must adopt zero-trust technologies and frameworks.
Studies show that while 90% of enterprises are adopting zero trust, most of them are having problems unlocking its full potential. This is because zero trust is confusing and security vendors have been marketing it like technology that can be bought off the shelf. In reality, zero trust is more of an architecture (a framework), and there’s no silver bullet. Zero trust is all about minimizing or containing the blast radius. Below are recommendations to keep in mind when implementing zero trust:
1. Start zero trust afresh using a modern approach
When Blockbuster attempted to outsmart Netflix, they connected a bunch of DVD players to the cloud. This obviously didn’t produce the right fidelity and Blockbuster went bust. Fundamentally, they made the wrong architectural choice. Similarly, with zero trust, it’s important to consider technical debt and architect your security from the ground up. If organizations simply layer security on top, they will do more harm, introduce more loopholes, and create more complexities for managing security.
2. Reduce your attack surface using a security cloud
Always remember this: if you’re reachable, you’re breachable. Hence, if applications are exposed to the internet, chances are attackers will compromise it. Therefore, applications and servers must always be placed behind a security cloud to avoid this attack vector. Now, when an attacker knocks at your door, it’s a switchboard and not a door. The switchboard says, “Okay, where are you trying to go? I’ll bridge that connection for you. I’m not going to directly connect you to that application.” This is an important element of a zero-trust architecture.
3. Use segmentation to prevent lateral movement
While network segmentation is not new, zero trust encourages micro-segmentation. What this means is that organizations should segment or bifurcate networks, workloads, and applications at a granular level. Should adversaries breach your environment, micro-segmentation helps limit lateral movement, contains the threat, and restricts the malware from spreading across the entire environment.
4. Deploy fine-grained user access
Human error is inevitable. It’s the reason why most cloud breaches and ransomware attacks happen. If attackers gain access to a privileged user’s account, they can leverage it to steal sensitive information, take systems offline, hijack them, or move laterally across the network and compromise other systems. In a zero-trust world, users have access to things they are supposed to access and nothing more.
It’s not just an identity that is checked. You must review a few contextual parameters (time of access, location from where the request originated, type of device, etc.). To do this, organizations must enforce the principle of least privilege, apply granular permissions and deploy authentication mechanisms that take into account both identity as well as context.
5. Always keep user experience in mind
The fastest way to kill a zero-trust project is by disrupting users. If you deploy the architecture properly, user experience can actually get a boost, which can help reduce internal friction. For example, if authentication is seamless, access and connectivity will be easier; users will happily embrace zero trust.
Breaches are inevitable – locking windows and doors alone is not enough. What organizations need is a level of security that escorts users blindfolded to where the building is, then escorts them to the room where they need to go to, then escorts them back out while ensuring that nothing was taken or left behind. Zero trust is in its infancy however, if organizations follow best practices and focus on getting the architecture and user experience right, they will certainly build a more resilient cybersecurity posture, which is the need of the hour.