Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Zero Trust, We Must

Daily headlines about cyber-attacks and data breaches (e.g., City of Tulsa, Guess, Morgan Stanley, Rural Al

Daily headlines about cyber-attacks and data breaches (e.g., City of Tulsa, Guess, Morgan Stanley, Rural Alabama Electric Cooperative) are a stark reminder that cybercrime activity levels have spiked since the start of the ongoing health crisis. According to the FBI’s 2020 Internet Crime Report, complaints soared by 69.4% in the last year. In response to this increase in cybersecurity incidents, there has been a renewed push to implement Zero Trust principles to minimize organizations’ cyber risk exposure and limit lateral movement. Most notably, President Biden’s recently signed Executive Order (EO) prescribes establishing a Zero Trust architecture for federal government agencies as a way to improve the nation’s cybersecurity and protect federal government networks.

The Biden Administration is not alone in their desire to establish Zero Trust principles. Over the last three years, the use of a Zero Trust model has gained a lot of industry momentum. According to IDG’s 2020 Security Priorities Survey (PDF), 75 percent of security-focused IT decision makers are aware of the Zero Trust model, with 18 percent actively using it in their organizations, and 10 percent piloting deployment. 

The Zero Trust model, first introduced in 2010 by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST), is not a new concept. Based on research findings, Forrester analyst John Kindervag concluded that inherent trust assumptions in traditional security models leave organizations vulnerable to external and internal attacks. Zero Trust is a security concept centered on the belief that organizations should not inherently trust entities inside or outside its perimeters, and instead should verify all requests to connect to its systems before granting access. 

The original concept of Zero Trust was a data-centric network design that leveraged micro-segmentation to enforce more granular rules and ultimately limit lateral movement by attackers. Since its inception, the concept of Zero Trust and its benefits have evolved significantly. Nowadays, Zero Trust is being used by organizations to drive strategic security initiatives and enable business decision makers and IT leaders to implement pragmatic prevention, detection, and response measures.

The Zero Trust eXtended Ecosystem

The biggest evolution of the Zero Trust model was documented in a 2019 Forrester Research report entitled Zero Trust eXtended (ZTX) Ecosystem, which extends the original model beyond its network focus to encompass today’s ever-expanding attack surface including the following elements and associated processes: 

• Networks – Segment, isolate, and control the network.

• Data – Secure and manage data, categorize and develop data classification schemas, and encrypt data both at rest and in transit. 

Advertisement. Scroll to continue reading.

Workloads – Apply Zero Trust controls to the entire application stack, covering the app layer through the hypervisor or self-contained components of processing (i.e., containers, virtual machines). 

• Devices – Isolate, secure, and always control every device on the network.

• People (a.k.a. Identity) – Limit and strictly enforce the access of users and secure those users. 

Applying security controls to each of the above-mentioned elements provides a roadmap to Zero Trust. 

The Path to Zero Trust Starts with a Resilient Anywhere Workforce

There are many starting points on the path to Zero Trust. However, one driving principle to determine your priority of implementation should be the knowledge that the easiest way for cyber-attackers to gain access to sensitive data is by compromising a user’s identity. In fact, 80 percent of security breaches involve privileged credentials, according to Forrester Research. Furthermore, post-mortem analysis has repeatedly found that compromised credentials are subsequently used to establish a beachhead on an end user endpoint (e.g., desktop, laptop, or mobile device), which typically serve as the main point of access to an enterprise network. A recent Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months.

To limit an organization’s cyber risk exposure to tactics, techniques, and procedures that target an organization’s weakest link – the anywhere workforce – consider the following best practices:

• Maintain a trusted connection with endpoints to detect unsafe behaviors or conditions that could put sensitive data at risk. This includes maintaining granular visibility and control over endpoint hardware, operating systems, applications, and data gathered on the device; and implementing self-healing capabilities for the device, mission-critical security controls, and productivity applications.

• Ensure that endpoint misconfigurations are automatically repaired when possible, as organizations cannot assume that the health of their IT controls or security tools installed on their employees’ endpoints will remain stable over time.

• Monitor network connectivity status, security posture, and potential threat exposure to enforce acceptable use via dynamic web filtering.

• Enforce dynamic, contextual network access policies to grant access for people, devices, or applications. This entails analyzing device postures, application health, network connection security, as well as user activity to subsequently enforce pre-defined policies at the endpoint rather than via a centralized proxy.

Conclusion

Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide an easy entree for data breaches. For most organizations, the path to Zero Trust should start with identity paired with endpoint resilience to create a more resilient work from anywhere user population.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet