To stay on the curve with IT security, your organization’s thinking needs to continually evolve. Threats keep changing and coming at you faster and from more directions. While protecting your IT perimeter has long been the way to go, new challenges, including cloud computing and the ability for employees (and others) to access your data through multiple devices, means you need to protect your data at the granular level — and trust no one.
Here’s why your business needs to be ready for the zero-trust model:
Reason #1: Your infrastructure is no longer centralized.
With traditional, centralized infrastructure — which includes on-premises infrastructure, colocation and private cloud — you know where your information is located. It’s within your own infrastructure. To protect it, you can use sophisticated devices and tools to manage network security and you can hire experts to monitor your network activity and respond quickly to any problems. Firewalls, Unified Threat Management (UTM), Virtual Private Networks (VPN) and captive portals all help strengthen the perimeter around your IT fortress.
However, with cloud computing, which also includes hybrid environments of traditional and cloud computing, your infrastructure is no longer centralized. Some of your data is located outside the infrastructure you manage. That data can be (and probably is) spread around the world. Unfortunately, you can’t build a fortress around the world.
Reason #2: You can’t be sure everyone who has gained access to your data can be trusted.
With traditional infrastructure, once users have gained access into your network (usually via a username, password and possibly another factor), they are in. They can access any of the data their credentials allow. To keep the wrong people from accessing data, you can segment your network into different areas with each requiring additional permissions. Tools that provide port-level security and detect network intrusions add another layer of internal protection.
But it doesn’t matter how many layers of protection you have within your network if an intruder has acquired the credentials needed to impersonate a trusted user. Especially a trusted high-level user. And while 24-7-365 monitoring can detect suspicious activity that your IT team can (hopefully) respond to quickly, even the best tools and team can’t distinguish between a real trusted user and a fake one until the fake one does something that sends up a red flag.
Phishing scams are incredibly successful (think Target, Home Depot and John Podesta), and so are socially-engineered attacks (think Sony). And trusted users (think Edward Snowden) can go rogue.
Reason #3: Cyber threats are increasing, not decreasing.
Along with increases in phishing and social engineering scams, organizations of all sizes have to deal with ransomware attacks, breaches via third-party vendors, DDOS attacks, Business Email Compromise (BEC) — the list of threats keeps growing. Cybercrime is an extremely lucrative business that’s becoming increasingly more popular and sophisticated. Hackers can buy malware off the shelf or as a service on the dark web just like you can buy Microsoft Office or a subscription to Netflix on the surface web. While it’s critical to stay current, security awareness training, third-party risk management and other security best practices – bad actors will keep coming up with new ways to rip people off.
And the fact that your network can be accessed by a multitude of connected devices – and not just employee desktops – makes security even more complicated and more likely that traditional security models could be overwhelmed.
So how does your organization keep up? Trying to continually stay one step ahead of cyber criminals takes you away from what you really need to be focusing on — meeting your business goals.
What is the zero-trust model?
In 2010, John Kindervag, a principal analyst at the technology research and advisory firm Forrester Research, Inc., described a fresh approach to cybersecurity. Rather than trusting people who have accessed the network, you don’t trust them instead. Being inside the network shouldn’t give you the keys to the castle because what if you snuck in? Kindervag explained that the best way to keep systems safe is automatically to trust nothing or no one. Rather, everything and everyone must be verified before gaining access to data.
The granular zero-trust approach is based on the principle of least privilege, which grants access only to those individuals who need the data to do their jobs.
Fewer people with access to your data means less risk to your business and business continuity.
Central to the zero-trust concept is also the logging and inspecting all traffic, both internal and external.
Think about the traditional security model for an email server. To access your email, you need your user ID and password. With the zero-trust model there’s an added step to verify your identity. By proactively registering your devices in advance, when anyone tries to log into your email account from an unregistered device, an announcement is automatically sent to the registered devices asking whether to trust or not trust the new source. In this way, your registered (trusted) devices become part of the verification process. All traffic is inspected and verified before granting access. This creates a micro-perimeter around your email data with an access log that can be reviewed later.
Who is using zero trust right now?
Do a Google search for “zero trust” and you’ll see hundreds of thousands of results. But which companies have transitioned successfully? Look no further than Google and Apple.
For its own network, Google uses a perimeter-less, zero-trust security framework called BeyondCorp. It uses four tiers of access — untrusted, basic, privileged and highly privileged. Google cataloged all of the devices that access its networks and all of the users associated with them, and assigned a trust tier to each internal service. Being Google, it also developed its own technology that evaluates policies, makes decisions about access, and collects device data and user behavior.
Google’s research into a new security approach was triggered by a series of cyber attacks from China against U.S. corporations and began the year before Forrester published its first zero-trust report.
A series of attacks also triggered Apple to adopt a zero-trust model for iCloud. In 2014, hackers got into iCloud by guessing celebrities’ email addresses and passwords. As a result, nude celebrity pictures were made public. Shortly thereafter, Apple began its policy of sending authentication codes to trusted devices whenever an untrusted device requests access to an iCloud app.
How can your organization move from the traditional security model to zero trust?
When it comes to protecting your own network, start by rethinking your “network.” If you’re using the cloud for any of your applications, you really don’t have a network anymore. You have a cacophony of applications spread across the web. These apps need to be organized and configured so they only grant access to people who actually work for you and who actually need access to do their jobs. In a decentralized IT environment, everyone who tries to access your data must be treated the same. With zero trust.
Transitioning to a zero-trust model is a significant change for most organizations. You’ll need to rethink your IT architecture from a data-centric perspective, which was the focus of Kindervag’s follow-up Forrester report. It all starts with:
- Setting standards for proving identity.
- Setting standards for securing devices that access your data.
- Setting standards for where and when your data and applications may be accessed.
No matter what security model you’re using right now and no matter where your data is located, you need to be encrypting your data. When your data is encrypted, it won’t be readable even if the wrong people intercept it.
Every day Leapfrog works with clients to ensure their data is secure and under their control — and under our watchful eye. Each of our managed IT services begins with security in mind, and our team is constantly researching and testing the latest security solutions and best practices. We believe protecting your data from internal threats is as important as guarding your IT perimeter, especially in today’s environment. That’s why we lock down your most sensitive data, encrypt everything, use solutions that grant access only to users who need the data, monitor traffic nonstop, and create audit trails so we can report on everything. These activities are all part of the zero-trust model that protects your data without slowing down your workers.
If you’re interested in learning more about how your organization can begin (or complete) its transition to the zero-trust model, we encourage you to contact us.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.