These days, just about everyone wants you to “trust" them.
Trust into a product to have “magic powers”, trust into self-driving cars to get you safely to your destination, trust into a company or a person. Our politicians seem to overuse this term on a daily basis, yet we all know the dangers of trusting the politicians. Trust by its very nature implies that you are surrendering some of your better judgement in anticipation of a positive outcome, which otherwise might not be guaranteed!
While I am not entirely certain what pretense security analysts at Forrester Research used back in 2010 to coin the “zero trust” term, the “zero trust” model does in fact the opposite. The zero trust security concept introduces a belief that no one inside or outside of a company’s networks should be automatically trusted. No one should automatically gain access to one’s systems, just because you are already connected to a corporate network.
It is simple – organisations should not trust any device, any user, any client until its identity can be verified.
With users able to work from any place and on any device, we can no longer rely on keeping everyone safe behind a firewall.
This is particularly critical right now, given that a majority of Australian businesses are under some form of working from home scenario, which is driving the number of remote workers through the roof. It is also fuelling a meteoric rise in cyber-attacks and threats, including Phishing attacks claiming to have COVID-19 related information or tools, and ransomware attacks on healthcare organisations. Zoom warrants its own mention -- a recent startup trying to meet the demand, but skipping critical security functions in the rush to the market. Their customers are now paying the price through compromised security!
Zero Trust adapts to the complexity of this modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they are located. Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes a breach and verifies each request as though it originates from an uncontrolled network. The Zero Trust approach is based on three guiding principles:
Now we have:
The public has loved these new technologies, but from the vantage point of cybersecurity, it has created a perfect storm. Additionally, when you throw in shadow IT vulnerabilities into the mix -- the tendency of employees to introduce their own third-party software preferences or devices into a company’s network without IT’s knowledge or permission –- your company’s cybersecurity suddenly becomes the Wild West.
One of the key ideas behind ZTS is that there IS no protected perimeter.
Here’s a common analogy that Zero Trust advocates make when explaining the problem with the old way of doing things. Imagine if airports removed their security measures that vetted people’s identities and removed checkpoints to ensure they didn’t have anything dangerous before boarding their flight. Imagine if airport security allowed anyone to get on a plane, and then tried to vet each passenger ten minutes before departure while everyone is sitting on the plane, buckled up and ready to go. That’s essentially what’s happening in the cyber world. A packet can wander freely into a network segment and engage with an application before being required to show any credentials.
As applications move to the cloud and break down security barriers, traditional security approaches like antivirus are rendered obsolete.
Users are accessing applications from all types of devices both inside and outside of the corporate network, as busines spreads out across multiple locations. To enforce high-standards of protection and compliance, IT service providers need a solution that is dynamic, flexible, and simple.
Antivirus, EDR, and other threat detection tools only look for threats and suspicious behaviour. Therefore, they cannot distinguish between DropBox and a piece of malware disguising itself as genuine software.
For example, in March of this year, a major vulnerability was discovered in Zoom, which exposed millions of users.
With the right policies in place, these users could have been protected. The problem is, the majority of IT professionals, utilising an outdated approach to security, focus on threat detection and fail to prevent data breaches associated with application vulnerabilities such as Zoom.
Additionally, the rise of ‘Internet-of-Things’ devices on home networks introduce areas of potential compromise. Many of these devices regularly phone home to their manufacturers, and at times, are accessible from highly suspect sources.
Organisations who take the time to review which applications are needed by their users, integrate logins with Azure AD or MFA, block applications that aren’t needed, and control how permitted applications can behave, are enforcing high standards of protection.
Ultimately, the way in which users operate in the complex IT world today is paving the way for a zero-trust approach. If your IT service provider has not already implemented a zero-trust solution, you might want to consider looking for someone who can offer the most up-to-date approach to security.
It is important that every businesses reviews the six pillars that represent a data estate:
We know that information technology can sometimes be daunting, if any of these terms are unfamiliar please contact one of our IT professionals so that we can better assess your needs and educate you on the solutions that would work best for you.Contact Exigence