22 February 2022 | Scott Nursten
Centuries ago, armies might fire letters attached to arrows over the wall into a besieged city, promising a reward to anyone who opened the gates. In 2020, a Tesla employee was contacted by a Russian cybercriminal, promising to pay $1 million if they helped infect the company’s system with malware. (Luckily for Tesla, this employee blew the whistle.)
The point is, an ancient tactic was used in a modern setting, highlighting the vulnerability still posed by insiders. Combatting this threat means applying the tenets of Zero Trust, based around the presumption that you’ve already been breached. If the enemy is already inside your defences, your firewall is useless. If they are disguised as someone with all areas access, how will you catch them out?
The old trust zones are gone
Zero Trust is a new form of security architecture which has replaced the old ‘trust zones’ network design. As a rule, the more exclusive the access to a zone, the higher the trust. A general low-trust zone carried few access requirements. A private zone with more stringent access requirements carried higher trust, while your financial zone, for example, would be accessible to only a few people and would therefore be your highest trust zone.
Trust implications might mean data wasn’t encrypted inside the highest trust zone, or that location alone would act as proof that only the right users were in there.
With more attacks exploiting the trusted user, their laptop or phone, you can no longer trust authenticity of identity based on access level alone. The answer now is to create policy decisions and enforcement points across your networks. In other words, replace trust zones with Zero Trust: controlled, conditional, dynamic access in multiple places.
Your staff are trustworthy. Hackers pretending to be your staff are not.
Zero Trust has garnered negative reactions because people infer a lack of trust in their staff. Let’s be clear: this is not about mistrusting individuals in your building. This is about verifying that every user and device on your network is the person and device you expect it to be.
Just because a person is logged in as ‘Sam’ doesn't mean it is really them. Without multifactor authentication, biometrics and additional checks, we can't determine authenticity of user or device. Standard access to your cloud-based environments and SaaS platforms, is usually via a username and password, maybe an MFA token: all of which are possible to hack. IP addresses too are no longer suitable as trusted identifiers. The only way to authenticate reliably is at user and device level every time access is requested. Hence, the rise of zero trust.
The Four Tenets of Zero Trust
Assume that all devices, user accounts and any other resource could be used against you. The imperative is to have clear policy enforcement and decision points requesting regular verification.
It looks as though Sam is using Sam’s laptop, but how do you know for sure? Verify the user and their device using a variety of factors.
Behave as if the adversary has already breached your wall. Penetration testing and firewall scanning will do nothing if you are locked inside with your adversary. Everyone must verify who they are across every area of your network, regardless of access level.
Your controlled access must also be dynamic and conditional. Dynamic variables give administrators the ability to grant or deny access to network resources. Conditional access is policy-driven and usually works on the basis that if a user requests access, then they must complete an action. Include behavioural observation wherever possible. For instance, a ‘user’ might have a username, password and MFA token but be trying to access your network from China or trying to access restricted areas. Any unusual behaviour should automatically fire out additional verification requests.
Cybercriminals remove all trace of their activities to prevent them being caught for their crimes. They destroy access attempts immediately after successful infiltration: the cyber equivalent of wiping down every surface to remove their fingerprints. If you log data in off-site, immutable stores and analyse it at machine speed you know what is always happening across your environment, catching bad actors in the act and identifying vulnerable user accounts. Their access then leaves indelible traces that can be used as evidence.
Questions for IT
It should be obvious to all users, including business leaders, that zero trust verification exists across the organisation. If you can get straight onto your network with just a username and password, or once on there, you can access even your most sensitive data, alarm bells should be ringing.
Don’t make the mistake of choosing ease of access over security. If you can access everything on the network easily, so can a hacker.
Originally published in Platinum Business Magazine