Commenting on paradigm shifts in cybersecurity in 2020, Ann Johnson, Corporate Vice President, SCI Business Development at Microsoft wrote:
“As we look past the pandemic to a time when workforces and budgets rebound, Zero Trust will become the biggest area of investment for cybersecurity. This means, that right now, every one of us is on a Zero Trust journey—whether we know it, or not.”
As we continue responding to the challenges posited by COVID-19 and move from reimagining a new normal to living it, the Zero Trust security model has indeed emerged as a leading mantra in managing cyber risks. When I wrote an introductory overview of the model in 2020, it was targeted towards businesses that were considering hopping onto the Zero Trust bandwagon. Fast forward to now, that discussion has matured. For the companies that were already contemplating the Zero Trust security model, COVID-19 served as an accelerator, moving up the timelines for adoption. And now, as we progress deeper into 2021 and are actively addressing the new realities of a post-pandemic era, the case for adopting Zero Trust is becoming stronger every day. Many experts are now saying that the "Zero Trust" conversation has evolved from "What is it?" to "How do we achieve a Zero Trust architecture?”. The implication is clear: Zero Trust has shifted from a business option to a business imperative. Here are a few reasons for its popularity – reasons that you can use for more well-informed discussions on the security model, no matter which stage you’re at in your Zero Trust journey.
Mitigating the risks of ‘the largest and most sophisticated attack the world has ever seen’
One of the key factors that contributed to this shift and that renewed the discussion on Zero Trust security architecture in 2021 was the recent hack on SolarWinds, which led to the infiltration of at least 18,000 government and private networks, including federal agencies . Microsoft’s President, Brad Smith, recognized the cyber-attack as “the largest and most sophisticated attack the world has ever seen”. But as he explained in his U.S. Senate testimony on lessons learnt from the hack earlier this year, implementing a Zero Trust security model could have limited the damage caused - even with an attack of this scale and complexity.
Talking about the security of U.S. government networks targeted by the attack, he said in his testimony:
“What we found in several cases was troubling. Basic cyber hygiene and security best practices were not in place with the regularity and discipline we would expect of federal customers with the agencies’ security profiles. In most cases, multi-factor authentication, least privileged access, and the other requirements to establish a “Zero Trust” environment were not in place. Our experience and data strongly suggest that had these steps been in place, the attacker would have had only limited success in compromising valuable data even after gaining access to agency environments.
This incident serves as a reminder that we must all remain vigilant in driving implementation of basic cyber security practices – multi-factor authentication, patching and updating, deployment of strong detection tools and logging, use of least privileged access, creation of an incident response playbook that is up to date and routinely exercised for readiness, and other vigilant work to improve our defense and resilience to attacks.”
Following Brad’s testimony, both the National Security Agency (NSA) and Microsoft recommended adopting the Zero Trust model, especially within critical networks and large enterprises. Earlier this year, the NSA also released a new guide to explain the Zero Trust model and its benefits, challenges involved with implementation, and advice to navigate the process. Within the U.S., a Zero Trust pilot was also undertaken as a joint effort with The U.S. Cyber Command, the Defense Information Systems Agency, and the NSA where experts are lab testing various technologies related to implementing the model. According to Neal Ziring, the technical director for NSA’s Cybersecurity Directorate, “The team has been able to demonstrate the effectiveness of Zero Trust at preventing, detecting, responding and recovering from cyber-attacks.”
A 2020 survey conducted by Microsoft found a staggering 94% of organizations have already embarked on their Zero Trust journey. As adoption of Zero Trust principles continues to grow further, the model is starting to become part of the basic architecture of many organizations’ security environments, with reports circulating that it will also be driven by compliance requirements via frameworks by organizations including NIST in the United States and the National Cybersecurity Center in the United Kingdom.
Staying protected in an era of more potent supply chain cyber-attacks
The current threat landscape has become a catalyst for attacks like the one on SolarWinds, AKA supply chain attacks. Although many cyber-attacks still rely on rudimentary phishing schemes and password spraying to penetrate networks, the recent hacks on SolarWinds, Blackbaud and Accellion were unusually stealthy and sophisticated – which may suggest we’ve entered an era of more potent cyber-attacks that are exploiting and leveraging vulnerabilities in the supply chain. Research conducted recently found 82% of organizations have suffered a data breach in the past 12 months due to cybersecurity weakness in the supply chain. In addition, attacks targeted at supply chains are now 50% more likely than they were five years ago. The reason is simple. COVID-19 has jolted organizations around the world to embrace fast-tracked cloud migrations and digital transformations that can enable their workforces to work remotely. This transition seemingly occurred overnight, and it has amplified vulnerabilities, like the use of unsecured networks and devices. Plus, as many supply chains sub-contract, company data is being handled by secondary, tertiary, and even fourth-degree entities. It’s easier to exploit disparate—yet interconnected—networks – and cybercriminals know this.
But like Brad Smith’s testimony has shown, a Zero Trust environment can go a long way in mitigating the risks of such attacks. The concept of Zero Trust, according to Microsoft, “assumes breach and verifies each request as though it originates from an uncontrolled network.” By implementing the principle of least privilege and verifying each new request to access interconnected data and systems, Zero Trust helps organizations secure their environments and limits the radius of any successful attacks. It offers businesses a chance to mitigate the risks of a very real threat in the current climate – little wonder why experts like Microsoft and the NSA are strongly recommending it, as per another excerpt from Brad Smith’s testimony on the hack below:
“The security community collectively also needs to take steps to defend against future such attacks. To do that, the first and most important step is for every company, organization, or agency to take even more seriously the security of identity in their networks. This can best be done by applying “Zero Trust” principles to ensure that attackers cannot gain access to information or resources meant only for authorized users.”
Addressing the agile and evolving needs of organizations
Talking about the mass shift to remote work in 2020, Alym Rayani, General Manager, Compliance Marketing at Microsoft said, “The past year has led to an evolution in not only how we think about work, but more importantly, where work gets done”. Indeed in 2020, the pandemic led to a fundamental rethink of how remote access was approached, but it’s key to remember that the transition to new environments and secure ways of working is still ongoing. Experts like Gartner are identifying a hybrid work model as a fast emerging post-pandemic trend (a flexible strategy enabling employees to work from different types of worksites) – a trend which companies like Google have already adopted. Many other organizations, on the other hand, are planning on working remotely well into 2021. Importantly, many are “still evolving” in their responses to keep their data and employees safe – responses that may understandably change over time due to shifting conditions and priorities. In the meantime though, reports continue to emerge of cyber-attacks successfully exploiting security gaps in remote working policies.
Zero Trust is so popular right now because it addresses the new and agile needs of a modern organization – particularly as the pandemic renders the traditional network perimeter obsolete. The security model isn’t dependent on which working model organizations are adopting, or how far along they are in their journey to implement one. Instead of relying on a single network, the Zero Trust model essentially narrows the perimeter to be active around any user or device that requests access to data – a perimeter that isn’t limited by how distributed or remote they are. Such an approach reduces the likelihood, not only of an attacker successfully infiltrating a network, but also moving and gaining access to high-value targets after breaching it.
A survey conducted recently found 76% of enterprises have seen an increase in the number of personally owned devices connecting to their networks during the pandemic, “with 33% characterizing this increase as significant. Organizations that are more successful with their Zero Trust strategies reported more growth in use of personally owned devices, suggesting that successful Zero Trust initiatives are giving IT organizations the flexibility to better support them on the network”.
As Zero Trust becomes the new normal for cybersecurity, I’m sure many more conversations will emerge, highlighting more advantages of the model and exploring newer ways of overcoming any weaknesses or challenges, including exploring how best to implement the model across your organizational systems. While the concepts behind Zero Trust aren’t likely to change, technologies often do and you may need to explore alternative ways of updating your environments and designing your security architecture accordingly. Here’s where active collaboration with your CISOs and Infosec teams can play a huge role in deciding the right tools and methods for employing a Zero Trust framework across your company, based on your specific business model, needs and available resources.
Malicious emails are one of the most prolific ways fraudsters infiltrate networks, so exploring how you can adopt a Zero Trust approach to email security for your business might be a good starting point. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party specialist cloud email security solution like MailGuard 365 to complement Microsoft 365. With evidence based-reporting that shows the threats evading your existing defenses, you can take a free Microsoft 365 email security health check to discover the gaps in your current email security strategy. For more information on how MailGuard 365 can enhance your business email security, feel free to reach out to my team at email@example.com.
The Zero Trust model has emerged as a popular security model that adapts to the complexity of the modern environment, embraces the mobile workforce, and protects organizations in an era of increasingly potent cyber-attacks. As with most things, there’s no one-size-fits-all solution, but ample evidence exists that slowly but surely, trust in Zero Trust is growing. Let’s keep this in mind as we continue fortifying our cybersecurity measures to make our businesses more cyber resilient than ever.
Why do you think the Zero Trust approach to cybersecurity is so popular today? Write your comments below.