Daily headlines about cyber-attacks and data breaches (e.g., City of Tulsa, Guess, Morgan Stanley, Rural Alabama Electric Cooperative) are a stark reminder that cybercrime activity levels have spiked since the start of the ongoing health crisis. According to the FBI’s 2020 Internet Crime Report, complaints soared by 69.4% in the last year. In response to this increase in cybersecurity incidents, there has been a renewed push to implement Zero Trust principles to minimize organizations’ cyber risk exposure and limit lateral movement. Most notably, President Biden’s recently signed Executive Order (EO) prescribes establishing a Zero Trust architecture for federal government agencies as a way to improve the nation’s cybersecurity and protect federal government networks.
The Biden Administration is not alone in their desire to establish Zero Trust principles. Over the last three years, the use of a Zero Trust model has gained a lot of industry momentum. According to IDG’s 2020 Security Priorities Survey (PDF), 75 percent of security-focused IT decision makers are aware of the Zero Trust model, with 18 percent actively using it in their organizations, and 10 percent piloting deployment.
The Zero Trust model, first introduced in 2010 by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST), is not a new concept. Based on research findings, Forrester analyst John Kindervag concluded that inherent trust assumptions in traditional security models leave organizations vulnerable to external and internal attacks. Zero Trust is a security concept centered on the belief that organizations should not inherently trust entities inside or outside its perimeters, and instead should verify all requests to connect to its systems before granting access.
The original concept of Zero Trust was a data-centric network design that leveraged micro-segmentation to enforce more granular rules and ultimately limit lateral movement by attackers. Since its inception, the concept of Zero Trust and its benefits have evolved significantly. Nowadays, Zero Trust is being used by organizations to drive strategic security initiatives and enable business decision makers and IT leaders to implement pragmatic prevention, detection, and response measures.
The Zero Trust eXtended Ecosystem
The biggest evolution of the Zero Trust model was documented in a 2019 Forrester Research report entitled Zero Trust eXtended (ZTX) Ecosystem, which extends the original model beyond its network focus to encompass today’s ever-expanding attack surface including the following elements and associated processes:
• Networks – Segment, isolate, and control the network.
• Data – Secure and manage data, categorize and develop data classification schemas, and encrypt data both at rest and in transit.
• Workloads – Apply Zero Trust controls to the entire application stack, covering the app layer through the hypervisor or self-contained components of processing (i.e., containers, virtual machines).
• Devices – Isolate, secure, and always control every device on the network.
• People (a.k.a. Identity) – Limit and strictly enforce the access of users and secure those users.
Applying security controls to each of the above-mentioned elements provides a roadmap to Zero Trust.
The Path to Zero Trust Starts with a Resilient Anywhere Workforce
There are many starting points on the path to Zero Trust. However, one driving principle to determine your priority of implementation should be the knowledge that the easiest way for cyber-attackers to gain access to sensitive data is by compromising a user’s identity. In fact, 80 percent of security breaches involve privileged credentials, according to Forrester Research. Furthermore, post-mortem analysis has repeatedly found that compromised credentials are subsequently used to establish a beachhead on an end user endpoint (e.g., desktop, laptop, or mobile device), which typically serve as the main point of access to an enterprise network. A recent Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months.
To limit an organization’s cyber risk exposure to tactics, techniques, and procedures that target an organization’s weakest link – the anywhere workforce – consider the following best practices:
• Maintain a trusted connection with endpoints to detect unsafe behaviors or conditions that could put sensitive data at risk. This includes maintaining granular visibility and control over endpoint hardware, operating systems, applications, and data gathered on the device; and implementing self-healing capabilities for the device, mission-critical security controls, and productivity applications.
• Ensure that endpoint misconfigurations are automatically repaired when possible, as organizations cannot assume that the health of their IT controls or security tools installed on their employees’ endpoints will remain stable over time.
• Monitor network connectivity status, security posture, and potential threat exposure to enforce acceptable use via dynamic web filtering.
• Enforce dynamic, contextual network access policies to grant access for people, devices, or applications. This entails analyzing device postures, application health, network connection security, as well as user activity to subsequently enforce pre-defined policies at the endpoint rather than via a centralized proxy.
Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide an easy entree for data breaches. For most organizations, the path to Zero Trust should start with identity paired with endpoint resilience to create a more resilient work from anywhere user population.