Suzanne Collins, author of the famous trilogy, The Hunger Games, once wrote: “For there to be betrayal, there would have to have been trust first.”
So, if you eliminate trust, you eliminate betrayal – a concept that has picked up steam within the cybersecurity community worldwide (though I’m pretty sure Collins had nothing to do with it).
Welcome to Zero Trust security, an approach to cybersecurity where everything is untrusted. You can’t trust networks, you can’t trust devices and you can’t trust people.
Businesses are actively adopting this model too: A recent survey by Okta found that globally, 40% of companies are currently deploying projects that are aligned with a Zero Trust approach to security. That includes 60% of North American organisations and 50% of ANZ ones.
As business owners, we often rely on input from our IT and Infosec leaders on cybersecurity trends like these and their relevance in enhancing cyber resilience within our own organisations. Before you set up that meeting to decide if you want to hop on the Zero Trust bandwagon though, here is a non-technical introduction, along with some gathered insights on adopting it in the current corporate landscape – insights that you can use as talking points for a more in-depth and informed discussion.
What is Zero Trust security?
Far from being a new paradigm in cybersecurity thinking, John Kindervag, a former analyst at Forrester Research, coined the term “Zero Trust” around a decade ago, calling it “not only a general best practice but also a strategic security initiative” that has a simple motto: “never trust, always verify”.
The US National Institute of Standards and Technology (NIST), in its current draft of standards for Zero Trust architecture, defines it as "a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated."
Breaking this down, there’s a very simple, but powerful idea behind the concept: don’t trust anything or anyone that requests access to your systems and/or data before verifying their identity - regardless of where the request originates or what resource it accesses.
This model of information security rejects the castle-and-moat approach to cybersecurity that standard security models used to operate with – that everything on the inside of an organisation’s network or perimeter can be trusted. Instead, Zero Trust assumes that there is no perimeter keeping the bad guys out, and that the bad guys are inside already.
The main reason for this is that the “castle” itself no longer stands alone. Businesses today are not dependent on a contained and defined network of systems, but instead mostly function via a mix of cloud and on-premise applications with their users (employees, vendors, customers, partners) accessing data & applications from multiple devices across a range of locations worldwide.
Unfortunately, in this environment, users can be tricked and accounts & devices compromised, making it difficult to always know whether requests to gain access to networks are legitimate. Emails remain the top threat vector, with nine out of 10 cyber-attacks delivered by emails, including socially engineered emails, those that brandjack or spoof popular brands (like Netflix) in order to convince users to reveal confidential data, or even emails that are legitimate, but are actually sent via compromised accounts (like this one from Dropbox).
To mitigate risk, the concept of Zero Trust, according to Microsoft, “assumes breach and verifies each request as though it originates from an uncontrolled network.” Ample evidence exists to justify this assumption, mainly in the form of multiple cyber-attacks that have involved hackers moving through internal networks without much resistance, once they’ve infiltrated corporate systems.
Target’s 2013 data breach is a good example, when it was discovered that the confidential data of 110 million customers had been compromised via an air conditioning company Target had hired to ventilate its offices. Hackers reportedly gained access to the air conditioning company after a phishing email scam successfully tricked employees (see why I keep saying a single email is enough to cause catastrophic damage?) into revealing passwords. The company said its data connection to Target was “exclusively for electronic billing, contract submission and project management.” The attackers were able to use this connection to hop from system to system, ultimately zeroing in on Target’s customer data.
Explaining how the Zero Trust model and the principle of least privilege access works, software company CoreView writes, “With the Zero Trust model, the organisation only allows access between IT entities that have to communicate with each other. There is no such thing as a trusted user anymore, or even a trusted server. Instead, IT secures every communications channel, because IT does not know who is listening in on the router. IT removes generic access to anything; and that access has to be granted specifically. It cannot be inherited, and it has to have a purpose”.
Applying the above, if both Target and the air conditioning company had implemented a Zero Trust framework, the hackers won’t have been granted “generic access”. Instead, each new request to access data and systems would have to undergo new verification. It wouldn’t have been as effortless to hop across systems and eventually access valuable customer data.
A second, more recent example was a case of business identity theft that occurred earlier this year, when a fraudster hacked into several high-profile Twitter accounts (including those of Elon Musk, Barack Obama & Joe Biden) by convincing a Twitter employee that he worked in the company’s IT department, and tricked Twitter users into sending him cryptocurrency. In a strict Zero Trust security framework, it wouldn’t have been that effortless for the hacker to gain access to these high-profile accounts via any employee – Twitter would have had a designated list of limited employees who had access to these accounts. And even if the hacker managed to successfully trick someone on that designated list, any unusual use of that access would have triggered alarms.
Why is the concept of Zero Trust gaining popularity among businesses today?
Just as we hear that Microsoft observed two years of digital transformation in the first two months of the COVID-19 pandemic, so too is Zero Trust shifting from an option to a priority. Ann Johnson, Microsoft’s Corporate Vice President, Cybersecurity Solutions Group notes that while “Zero Trust has always been key to maintaining business continuity…now, it’s become even more important during the COVID-19 pandemic to help enable the largest remote workforce in history”.
The “largest remote workforce in history” is undoubtedly facing a larger and more treacherous threat landscape. Security experts & law enforcement agencies, including Microsoft & the FBI have reported a 800% surge in cyber-attacks since the advent of COVID-19, with 4,000 attacks a day.
These are staggering, but unsurprising numbers. The spike in remote working means the dissolution of many network perimeters, opening a can of cybersecurity worms.
Andrew Conway, GM, Microsoft Security explains the cybersecurity challenges of a post-COVID era: “Providing secure remote access to resources, apps, and data is the number 1 challenge reported by security leaders. For many businesses, the limits of the trust model they had been using, which leaned heavily on company-managed devices, physical access to buildings, and limited remote access to select line-of-business apps, got exposed early on in the pandemic”.
Unfortunately, a defined perimeter is fast disappearing among many businesses. Nearly half of companies intend to allow employees to work remotely full time going forward, according to Gartner, triggering the need for a powerful cybersecurity strategy for a more distributed workforce. Ensuring that the right people have the right level of access, to the right data, in the right context becomes a challenge for most organisations.
Zero Trust is so popular right now because it's able to meet the needs of a post COVID-19 world. As Kindervag says: "Zero Trust was developed long before remote work became a thing. It just so happens that a post-COVID-19 world fits perfectly into a Zero-Trust strategy."
Instead of relying on a single network, this framework essentially narrows the perimeter to be active around any user or device that requests access to data – a perimeter that isn’t limited by how distributed or remote they are. Such an approach reduces the likelihood, not only of an attacker successfully infiltrating a network, but also moving and gaining access to high-value targets after breaching it.
Adopting a Zero Trust framework
You may not know it, but your company may already have adopted several tenets of Zero Trust security via tools and best practices that emphasise authorisation and encryption (e.g. multi-factor authentication for internal and external users).
Adopting a holistic approach to Zero Trust, however, doesn’t involve using these technologies on their own, but instead using them to enforce a security culture built on the notion that no access will be granted, to anyone or anything, until and unless they have been verified.
Microsoft lists these three guiding principles to follow when implementing a Zero Trust framework:
- Verify explicitly
Always authenticate and authorise based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privileged access
Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive polices, and data protection to protect both data and productivity.
- Assume breach
Minimise blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defences.
While the concepts behind Zero Trust aren’t likely to change, technologies often do and you may need to update your environments and design your security architecture accordingly. Here’s where active collaboration with your CISOs and Infosec teams can play a huge role in deciding the right tools and methods for employing a Zero Trust framework across your company, based on your specific business model, needs and available resources.
Malicious emails are one of the most prolific ways fraudsters infiltrate networks, so exploring how you can adopt a Zero Trust approach to email security for your business might be a good starting point. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard to complement Microsoft 365. For more information about how MailGuard can help defend your inboxes, reach out to my team at firstname.lastname@example.org.
Zero Trust addresses the shifting realities of businesses, including new ways of accessing, storing & protecting data. It’s up to you to decide how relevant the model is to the shifting realities of your own business.
May the odds be ever in your favour.
What are some factors business leaders should consider before adopting a Zero Trust approach to cybersecurity? Write your comments below.