Data breaches have become mainstream in our daily lives. Every day there is a new breach, hack, or vulnerability being reported in the media. The problem is becoming an epidemic especially when we consider the lack of qualified professionals in the field of cybersecurity. There are frameworks that many organizations can adopt to help improve their cybersecurity posture like NIST and ISO 27001 but these frameworks are not keeping up with the changing cybersecurity landscape. The bad actors and criminal organizations are getting smarter and making it harder for cybersecurity professionals to keep up. Due to the evolving landscape of cybersecurity, I believe it is time we start adopting the Zero-Trust Architecture.
The concept for Zero-Trust Architecture is to restrict access to any resource and only grant access after the sources have been verified. We must view any connection to a resource to be untrusted whether it is internal or external. Insider threat has become a real concern for many organization as trusted employees may unintentionally become a threat. Social engineering attacks such as phishing may trick an employee into divulging credentials or installing malicious software. The trusted employee has now become an insider threat. Now I know what you are thinking, we cannot possibly introduce Zero-Trust into the environment, it is too hard to implement and adopt and we like to treat all employees as trusted members of the company. Ask yourself a question, does an employee working in the marketing department need access to HR records? Regardless if this employee is a trusted member, there is a good possibility this employee probably does not need access to HR records. In larger worldwide companies where the networks are connected to each other, does it make sense for someone working in a European office accessing systems and records in an American office if this person has no business relations or requirements? Probably not. We need to stop promoting these open trust cultures and start restricting access across networks and infrastructure.
Organizations that are hesitant to adopt Zero-Trust architecture probably don’t realize that they are already using most of the controls in their environment currently. Does your organization have any of the following:
- Data Security
- Device/endpoint security
- User Authentication
- Workload Security
- Security Automation
- Threat hunting, Detection, and analysis
If the answer is yes, you are already introducing Zero-Trust into your company. These are the components necessary for a Zero-Trust Architecture. Organizations are already adopting Zero-Trust without realizing they are doing it.
Zero-Trust are beneficial to organizations like financial, healthcare, and manufacturing to help protect sensitive data and solve problems like IoT. IoT devices is causing a problem in these industries. As these organizations start to adopt IoT devices to improve workflow, efficiency, and customer expectations, Zero-Trust can be used to solve the problems IoT creates. Solutions such as micro-segmentations and deception technology which is part of the Zero-Trust Ecosystem can help improve the security posture of these organizations. Many security vendors are creating solutions that fall into the category of Zero-Trust such as the following:
- Varonis (www.varonis.com) – Data Security
- TrapX (www.trapx.com) – Security Automation/Threat Hunting, Detection, and Analysis
- Carbon Black (www.carbonblack.com) – Endpoint Security
- Palo Alto (www.paloaltonetworks.com) – Firewalls
- Illumio (www.illumio.com) – Security Automation/Firewalls
- E-Sentire (www.esentire.com) – Threat Hunting, Detection, and Analysis
- Centrify (www.centrify.com) – User Authentication
- CyberArk (www.cyberark.com) – User Authentication
There is a famous Russian saying made popular by President Ronald Regan when dealing with the Russians:
“Doveryai, no proveryai” which means “Trust but Verify”.
The concept of Zero Trust is very similar to this saying, as much as we like to trust every device in the ecosystem of a company, we should really be verifying whether access is needed and allowed. Granting access after verification of a source will reduce the possibility of a breach. Regulations such as EU-GDPR and NYS DFS 500 regulations are enforcing the need for Zero-Trust as they make access privilege controls and review/certification of access rights to data a regulatory requirement. Zero Trust architecture was a radical concept when it first came out several years ago, but now it is taking the center stage in cybersecurity as we battle against criminal entities, bad actors, and nation sponsored attacks. We reduce our threat attack vectors as we start to lockdown access on a granular scale. Technology improvements in the cybersecurity space are allowing us to adopt Zero-Trust with minimal to no impact to the production environment. Zero-Trust Architecture is here to stay, it is about time we start adopting it.
By: Joseph Tso, CISSP, CISM LIFARS Board Member
Don’t forget to subscribe to our Newsletter.