The trust model of cybersecurity is broken. Since the move to the cloud and away from isolated on-premises infrastructure, IT environments have become increasingly complex, expanding in both size and variety of components.
Trust is permissible when a small team of engineers access the local infrastructure. However, in the modern hybrid systems used by many enterprises, it is risky to rely on the multitude of endpoints and variables to manually adhere to all authentication measures and preventative procedures. We all know that a single phishing email is enough to potentially lead to a critical data breach. Such incidents can be incredibly damaging to a business: IBM Estimate That data breaches this year cost companies an average of $4.24 million, the most in 17 years.
To manage this new world, many organizations turn to Zero Trust. In fact, in May of this year United States President Joe Biden issued an executive order Require all federal agencies to begin aligning their cloud environments with Zero Trust architecture.
So what is Zero Trust? At its core, it is a cybersecurity model that constantly identifies and authenticates each device, user, and identity before giving them access to data. This ensures that bad actors cannot exploit sensitive data, even if they have gained access to an IT environment. By requiring constant authentication at every stage of the workflow, trust is taken out of the equation and removed as a cybersecurity vulnerability.
For a Zero Trust model to be effective, cultural and behavioral elements must be given as much weight as technology changes. Human error is by far the biggest risk to an organization, so all stakeholders must wholeheartedly buy into the model for it to be effective.
Zero Trust and remote work
Since the inception of remote work, the number of ransomware attacks and data breaches has skyrocketed, to the point where cybercrime is now the most prevalent crime in the UK. In fact, the UK National Cyber Security Council (NCSC) handled an unprecedented 777 cybersecurity incidents in 2021, an increase of 7.5% from the previous year. Bad actors have thrived in the world of remote work, exploiting the many potential vulnerabilities created by employees accessing work systems and data from home.
This risk is only increased by many companies using multiple hosting services to meet their demands in the world of remote work. Security measures and requirements can vary from public cloud provider to colocation service, making it difficult for many to implement a uniform security strategy.
Zero Trust Architecture
Zero Trust is a universal, cost-effective authentication model that can be used across all architectures, making it well suited to the hybrid IT infrastructure preferred by many businesses today. Zero Trust’s key differentiator is that you don’t see a traditional network perimeter. When implemented correctly, it provides a comprehensive cyber defense framework ideal for hybrid work; all endpoints, cloud services, and on-premises infrastructure such as on-premises mainframes are incorporated into one model.
User access to all applications and data stored in any of these components requires authentication at all stages. This requires a comprehensive access policy, which assesses the risk presented by the user before granting access. The UK NCSC has an excellent explanation of this principle, which sets out how companies should take “the network is hostile” and granting access only based on an assessment of key factors such as “device location, device state, identity, and user state.”
Constant verification requires real-time monitoring. Businesses need visibility into a variety of dependencies and environments in their IT stack to dynamically monitor user access and, if necessary, withdraw privileges. There is a lot of innovation in this space, with a growing number of solutions using automation to streamline the process. Organizations must spend time finding a monitoring solution that matches the specific cybersecurity needs of their business.
Crucially, constant authentication provides more obstacles for hackers to overcome in order to access larger data. As a result, Zero Trust monitoring elements have a significantly longer window of time to identify and contain the impact. Many notable cyberattacks started with a bad actor exploiting a vulnerability in one part of the network to gain access to sensitive systems across the company; The Colonial Pipeline cyberattack started with a single compromised password in a virtualized private network. Zero Trust should allow a company to lock down access privileges for a hacker, limiting the scope of damage and preventing such attacks from becoming insurmountable problems.
A culture change
It is important to see Zero Trust as both a cultural change and a technological one. Human endpoints are by far the biggest risk in today’s cybersecurity landscape and therefore behavioral change is needed to address the issue.
Each individual must wholeheartedly accept the Zero Trust model for it to remain effective. An employee forgoing authentication procedures is all that is required for a data breach to render the Zero Trust model ineffective.
Education and communication are top priorities to prevent this from happening. Many people are likely already involved with authentication procedures such as single sign-on (SSO) and multi-factor authentication (MFA) in aspects of their work and understand their importance within a given context. Through regular communication and training, this acceptance can turn into an understanding of the holistic requirements of Zero Trust.
Instead of seeing cybersecurity as a mandatory annual training program, employees can be empowered by their role and responsibilities in the Zero Trust process. By understanding that Zero Trust is not based on mistrusting people, but on requiring them to play a greater role in preventing cybersecurity incidents, employees will become more engaged and play their part in preventing cyberattacks.
David Gochenaur, Senior Director of Cyber Security at ensono, is a seasoned information security professional with over twenty years of experience in the software, consulting, banking, manufacturing, and service industries. David’s expertise lies in developing and implementing enterprise-wide security solutions for IT infrastructure, applications, user access management, policies and standards.