Implementing Zero Trust? Prioritize people as much as tech
The trust model of cybersecurity is broken. Since the shift to cloud and the move away from siloed on premise infrastructure, IT environments have grown ever more complex, expanding in both size and variety of components.
Trust is permissible when a small team of engineers is accessing on premise infrastructure. However, in the modern hybrid systems employed by many businesses, trusting the multitude of end points and variables to manually adhere to all authentication measures and preventative procedures is risky. We all know that just one phishing email is enough to potentially lead to a critical data breach. Such incidents can be incredibly damaging for a business: IBM estimated that this year data breaches cost businesses an average of $4.24 million -- a 17 year high.
To manage this new world, many organizations are turning to Zero Trust. Indeed, in May this year US President Joe Biden issued an Executive Order mandating all federal agencies start to align their cloud environments with Zero Trust architecture.
So, what is Zero Trust? In essence, it is a cybersecurity model that constantly identifies and authenticates each device, user, and identity before providing them with access to data. This ensures that bad actors are unable to exploit sensitive data, even if they have gained access to an IT environment. By requiring constant authentication at every stage of the workflow, trust is removed from the equation and eliminated as a cybersecurity vulnerability.
For a Zero Trust model to be effective, as much importance needs to be placed on the behavioral and cultural elements as the technology changes. Human error is by far the greatest risk to an organization, so all stakeholders need to wholeheartedly buy into the model for it to be effective.
Zero Trust and remote working
Since the onset of remote working, the number of ransomware attacks and data breaches has skyrocketed, to the point where cybercrime is now the most prevalent crime in the UK. Indeed, the UK’s National Cyber Security Council (NCSC) managed an unprecedented 777 cyber security incidents in 2021, a 7.5 percent increase from the previous year. Bad actors have thrived in the remote working world, exploiting the multiple potential vulnerabilities created by employees accessing work systems and data from home.
This risk is only heightened by many enterprises making use of multiple hosting services to meet their demands in the remote working world. Security measures and requirements can vary from each public cloud provider to each colocation service, making it difficult for many to implement a uniform security strategy.
Zero Trust architecture
Zero Trust is a universal cost-effective authentication model that can be utilized across all architectures, making it well suited to the hybrid IT infrastructure preferred by many businesses today. The key differentiator of Zero Trust is it does not see a traditional network perimeter. When implemented correctly, it provides a comprehensive cyber defense framework ideally suited for hybrid working; all end points, cloud services and local infrastructure, such as on-premise mainframes, are incorporated into one model.
User access to all applications and data held on any one of these components requires authentication at all stages. This requires a comprehensive access policy, assessing the risk presented by the user before granting access. The UK’s NCSC has an excellent explanation on this principle, setting out how firms should assume "the network is hostile" and only grant access based on an assessment of key factors like "device location, device health, user identity and status".
Constant verification necessitates real-time monitoring. Businesses need visibility across a range of dependencies and environments in their IT stack to dynamically monitor user access, and if necessary, withdraw privileges. There is a huge amount of innovation in this space, with a growing number of solutions utilizing automation to streamline the process. Organizations should spend the time finding a monitoring solution that closely matches the specific cybersecurity needs of their business.
Crucially, constant authentication provides more obstacles for hackers to overcome to access wider data. As a result, the monitoring elements of Zero Trust have a significantly longer window of time to identify and contain the impact. Many notable cyberattacks have started with a bad actor exploiting a vulnerability in one part of the network to gain access to sensitive systems across the business; The Colonial Pipeline cyberattack started with a single compromised password on a virtualized private network. Zero Trust should allow a business to shut down access privileges for a hacker, limiting the scope of the damage and preventing such attacks from spiraling into insurmountable problems.
A cultural change
It is important to view Zero Trust as just as much a cultural change as it is a technological one. Human end points are by far the greatest risk in today’s cybersecurity landscape, and therefore behavioral change is needed to address the issue.
Each individual needs to buy wholeheartedly into the Zero Trust model for it to remain effective. One employee forgoing authentication procedures is all that is required for a data breach to render the Zero Trust model ineffective.
Education and communication are the top priorities for preventing this from happening. Many individuals will likely already engage with authentication procedures like Single Sign-on (SSO) and multi-factor authentication (MFA) in aspects of their job and understand their importance within a set context. Through regular communication and training, this acceptance can be built into an understanding of the holistic requirements of Zero Trust.
Rather than viewing cybersecurity as just an obligatory annual training program, employees can be empowered by their role and responsibilities in the Zero Trust process. By understanding that Zero Trust is not based on distrusting individuals but rather requiring them to play a greater part in preventing cybersecurity incidents, employees will become more engaged and play their part in preventing cyber-attacks.
David Gochenaur, Senior Director of Cyber Security at Ensono, is a seasoned Information Security professional with over twenty years of experience across software, consulting, banking, manufacturing, and services industries. David’s expertise lies in developing and implementing enterprise-wide security solutions for IT infrastructure, applications, user access management, policy, and standards.