Trust is important but not so much when it comes to cybersecurity. In this case, zero-trust is best because it works on the premise of “never trust, always verify.” This applies to everything and everyone outside the corporate firewall and to anyone and anything inside it. The zero-trust model assumes the worst—a breach or cyber attack—and is proactive about it, verifying each and every request as if it came from an uncontrolled, potentially risk network or source.
Zero-Trust is the most practical approach nowadays because more often than not, the gravest threats to an organisation’s network are people who have access to it, to begin with. These people, called insider threats in zero-trust parlance, include executives, current staff, ex-employees, contractors and other relevant stakeholders to whom the keys to the network are generally handed, oftentimes arbitrarily or without a thorough check first.
Threats Are Everywhere
Said practice, while commonplace, leaves the organisation’s network needlessly exposed. Consider, for instance, the case of the now ex-computer contractor of personal credit rating firm Korea Credit Bureau, who from 2012 to 2014 kept copying on a USB stick sensitive data, like names and social security numbers, and then selling it to marketing firms (making him what’s called a malicious insider threat).
Consider, too, the social engineering attack on Twitter that allowed hackers to use Twitter’s own internal tools to take over the accounts of several high-profile personalities. Or the disgruntled former employee of an unnamed financial company in Ukraine, who used a vulnerability in said company’s computer database to obtain 100 GB of sensitive customer information that he then tried to sell to competitors. There is also the case of an unsuspecting Snapchat employee, who fell for a phishing attack (making him a negligent insider threat) that exposed to scammers the payroll information of Snapchat’s staff.
These incidents are examples of insider threats exposing an organisation to cybercriminals and cyber attacks, and they underscore the very real risks of being too trusting and having no zero-trust architecture in place.
Making Zero-Trust Part of Company Culture
Suffice to say, organisations will need to make zero-trust an essential component of their security plan. In doing so, they will be able to institutionalise this practical approach and, in turn, help accelerate the deployment of controls and technologies to identities, devices, applications, data, infrastructure and networks.
Once organisations have made zero-trust the core of their cybersecurity culture, the next step would be to apply the following best practices in implementing zero-trust. These are from experts who participated in a recent roundtable on zero-trust organised by Microsoft, the details of which are published in the eBook “Examining Zero Trust: An executive roundtable discussion.”
Use identities to control access.
Identities of people, services and IoT devices are the one thing in common across networks, endpoints and applications, and they represent “a powerful, flexible and granular way to control access to data.”
With zero-trust, everyone and everything needs an identity, and when access to any resource is requested, security controls will have to verify first the identity of the one requesting access via strong authentication procedures. Even with access granted, there will still be security provisions that will monitor compliance to make sure that identity is following the least privileged access principles.
Identity verification is crucial to identify management, and one way to best do it is by incorporating multifactor authentication or continuous authentication. Among other things, using any of the two or even both can help your organisation validate identities even if they change their IP address or modify their behavioural patterns. It can also make zero-trust easy and transparent, thus enabling you to do it as often as needed. In short, elevating authentication can “substantially improve your organisation’s information security posture.”
Incorporate password-less authentication.
Passwords are passé as far as zero-trust is concerned. With zero-trust, password-less authentication is preferred, with two or more verification factors used instead of traditional passwords. These factors are, in turn, secured with a cryptographic key pair. So, anytime a device is registered, it creates a public and private key—the latter to be unlocked via PIN or through biometric authentication, like a fingerprint scan, facial recognition or iris recognition.
Segment your corporate network.
Network segmentation, where you segment networks and do in-network micro-segmentation, is crucial to guaranteeing zero-trust success because most, if not all, business-critical data is accessed over network infrastructure nowadays. However, it is generally a pain point for most organisations because it can sometimes be complicated, especially with firewalls representing early segmentation.
Having said that, network segmentation must be done nonetheless as it gives networking controls that can enhance visibility and neutralise attacks when they attempt to move laterally in the network.
Secure your devices.
Again, the thrust of zero-trust is to trust no one and nothing, and that is especially critical in this Bring Your Own Device (BYOD) era. With zero-trust, all devices are untrusted and treated as potential threats, which means they are to be subjected to the same security policies regardless if they are owned by the organisation or are private property. The same applies regardless if said devices are connected to the network via a secure corporate network, home broadband or public internet.
Think of it this way: If you let even just one unpatched device connect to your network, then you have pretty much let a possible threat waltz in easily and scot-free.
Segment your applications.
In this time, the time of the cloud, it is vital that organisations strike the right balance between giving access to cloud apps and services and keeping control over them. Finding this perfect balance will enable you to better protect these apps and services, along with the data stored in them. The best way to go about this is to implement controls and technologies against shadow IT, enable appropriate in-app permissions, deploy analytics-based gate access, keep track of and identify abnormal behaviour, verify secure configuration options and restrict user actions.
Define roles and access controls.
Too many roles and access controls are a recipe for mismanagement later on, which can then leave you vulnerable to threats of all kinds. This is especially true with homeworking steadily being pushed into the mainstream. Thus, it is imperative that you are selective with the roles you create for everyone connected to the organisation so you can better manage them. Then, look to operationalise roles and “tie them to a policy as part of authorisation, single sign-on, password-less access, and segmentation.”
Let Microsoft Help You
Today’s cybersecurity landscape is ever-evolving and remains full of threats from both inside and outside the network perimeter. This is why zero-trust is now the way to go as it is important to cover all your bases and be able to recognise and address all threats, internally and externally. That said, transitioning to zero-trust can be difficult and will take some time—often a matter of years, in fact.
This is why you should start now if you haven’t done so already, or accelerate your transition before it is too late. Either way, make sure that you are treating zero-trust as a core part of your company culture and then implementing the best practices discussed above.
You can also leverage Microsoft Digital’s “Roadmap to Zero Trust,” a multifaceted approach to zero-trust with the end goal of deploying the kind of security architecture you need to powerfully address any and all security issues your organisations will face. It will also enable you to best create a layered approach to securing both corporate and customer data through strong user identity, device health verification and secure, least-privilege access to corporate resources and services.
So, if you want what is best for your organisation, it is now time to never trust and always verify.