The Zero Trust architecture offers an increasingly popular way to minimize cyber-risk in a world of hybrid cloud, flexible working and persistent threat actors.
The post-pandemic normal for global organizations increasingly means using digital technology to support more flexible working practices. Although tech giants such as Twitter and Facebook made headlines by promising some employees they can work from home forever, the reality for most employers is likely to be more prosaic. More than 60% of businesses are planning to support a hybrid workplace which will involve employees spending part of the week at home and a few days in the office. Yet this will also bring with it new cyber-risks, as we outlined in the first post of this series that examines the security challenges of the hybrid workplace.
The good news is that this what the Zero Trust model was built for. Already mandated for U.S. federal government agencies by a new Presidential executive order it offers an increasingly popular way to minimize cyber-risk in a world of hybrid cloud, remote working and persistent threat actors.
The challenges of protecting the hybrid workplace
Today’s CISOs are under incredible pressure to protect sensitive IP and customer data from theft, and business-critical systems from service interruption. Despite rising security spending, breaches continue to escalate. The cost of data breaches stands at an average of nearly US$3.9 million per incident today, with organizations typically taking hundreds of days before they discover and contain these attacks.
The advent of mass remote working, and now the hybrid workplace, hands even more advantage to the threat actors. Organizations are at risk from several areas, including:
- Distracted home workers who are more likely to click on phishing links
- Remote workers using potentially insecure personal laptops and mobile devices, networks and smart home devices
- Vulnerable VPNs and other unpatched software running on home systems
- Poorly configured RDP endpoints, which may be easily hijacked via previously breached or easy-to-crack passwords. ESET reported a 140% increase in RDP attacks in Q3 2020
- Cloud services with weak access controls (poor passwords and no multi-factor authentication)
Why Zero Trust?
In 2009, Forrester developed a new information security model, called the Zero Trust Model, which has gained widespread acceptance and adoption. It’s designed for a world in which the old certainties of placing all security resources at the perimeter and then trusting everything inside it, are no longer relevant. That’s the world we live in today thanks to distributed working and cloud ubiquity.
Instead, Zero Trust is founded on a mantra of “never trust, always verify” to help reduce the impact of breaches. In practice, there are three underlying principles:
- All networks should be treated as untrusted
This should include home networks, pubic Wi-Fi networks (for example, in airports and coffee shops) and even on-premises corporate networks. Threat actors are simply too determined for us to assume that there are any safe spaces left.
- Least privilege
If all networks are untrusted, then so must users be. After all, you can’t guarantee that an account hasn’t been hijacked, or that a user isn’t a malicious insider. That means granting employees just enough privilege to get the job done, and then regularly auditing access rights and removing any that are no longer appropriate.
- Assume breach
Every day we hear news of a new security breach. By maintaining an alert mentality, organizations will be vigilant and continue to improve their defenses with a resilient Zero Trust mindset. Breaches are inevitable – it’s about reducing their impact.
How Zero Trust has evolved
When Zero Trust was first created back in 2009, it was a very network-centric model. Over the years it has evolved into an entire ecosystem. At its center is the critical data or business processes that must be protected. Around this are four key elements: the people that can access that data, the devices that store it, the networks it flows through and the workloads that process it.
Now Forrester has added another crucial layer: automation and orchestration and visibility and analytics. These integrate all the defense-in-depth controls needed to support Zero Trust.
Zero Trust in this new iteration is a perfect way to help mitigate the risks of a hybrid workplace—an environment where perimeters are fluid, distributed workers must be continually authenticated, and networks are segmented to reduce the potential for threats to spread. It’s also become clear over the course of the pandemic that VPNs in many cases were unable to sustain large numbers of remote workers – both in terms of inbound traffic and in outbound deployment of patches. They are increasingly also a target in their own right, if left unpatched and under-protected. Zero Trust is a better long-term option.
How to get started with Zero Trust
The latest data suggests that nearly three-quarters (72%) of organizations are planning (42%) or have already rolled out (30%) Zero Trust. The good news is that getting there doesn’t require a major rip-and-replace effort.
In fact, you may already be using many of the tools and techniques needed to get started. These include the following:
People: Roles-based access controls, multi-factor authentication, account segregation.
Workloads: Most cloud providers build in controls here. Organizations should use these to reduce access to different workloads. and enforce good policies.
Devices: Asset management will help you understand what you own. Then use endpoint detection and response (EDR), host-based firewalls and more to protect these assets and prevent lateral movement.
Networks: Micro-segmentation is key here. Use network devices like routers and switches in combination with access control lists (ACLs) to limit who and what can talk to different parts of the network. Vulnerability management is also important.
Data: Classify your data then apply encryption to the most sensitive types at rest and in transit. File integrity monitoring and data loss prevent can also help to secure data.
Finally, it’s about adding security orchestration and automation, and data analytics capabilities, on top. This brings the situational awareness security operations teams need to do their jobs effectively.
written by Phil Muncaster, ESET We Live Security