Implementing a zero trust policy against cyberattacks
Zero trust has been a hot topic for the Top Business Tech team over the last couple of months. We have seen an uptick in article views for this topic, and so we have gathered our top-ranking articles together in this podcast.
With the drastic rise in cyberattacks during 2020 and 2021, it has shown that having a zero trust policy is no longer a ‘nice to have’, but an absolute necessity. The concept of ‘zero trust’ is not new; originally defined in Stephen Paul Marsh’s doctoral thesis on computational security in 1994, it became a key cybersecurity concept when Forrester’s John Kindervag reignited it in the late 2000’s. The main idea behind zero trust is that cyberattacks could come from within the company as well as from outside.
Paul German, CEO, Certes Networks, recently spoke to Top Business Tech about how, until recently, the debate around zero trust has remained – in his view – focused solely on authenticating the user within the system. It has done this instead of taking a more holistic approach and looking at user authentication and access to sensitive data using protected micro-segments. This concept has changed with NIST’s Special Publication; no longer is the network the focus of zero trust; finally, it is the data that traverses the network.
With most countries implementing some sort of GDPR rule, it has become important for companies that own a lot of data to secure their sensitive information. It is more important than ever that organizations adopt a cybersecurity stance that can ensure – and maintain – compliance or information assurance. In addition, enterprizes are encouraged to observe and collect as much information as possible about their asset security posture, network traffic and access requests, process that data, and use any insight gained to improve policy creation and enforcement dynamically.
Implementing a zero trust policy is a practical response to the constant worry of cybercriminals accessing a company’s network. Zero trust implements a process where users are denied access from outside networks if they can not authenticate themselves and their permissions to access the data.
So, how should companies adopt a zero trust initiative? Charles Griffiths, Head of IT and Operations at AAG-IT.com shared his tips for implementing a zero trust policy with Top Business Tech.
Firstly, strong identities are a fundamental part of zero trust, and they’re critical for establishing trust and access within the environment. Strong identities are also important for supporting a zero trust framework because they verify users before accessing systems. One method of enabling strong identity is to leverage multifactor authentication methods such as two-factor (2FA) or mobile authentication.
Next up, multifactorial authentication is not a single approach, but several methods that can be deployed together to add levels of trust on top of an identity framework. The three basic approaches to authentication are:
- Single-factor authentication (SFA) is based on something you know, such as a user ID and password or PIN. It’s the most common authentication method used today.
- Multifactor authentication (MFA) is based on something you have, such as a security token, smart card, or mobile device. MFA can be combined with SFA.
- Continuous Authentication (CFA): This is a method of confirming identity in real-time. It’s accurate, convenient and prevents attacks that have been successful in the past because it doesn’t rely on static data.
- MFA and CFA are recommended levels of security within a zero trust framework.
Griffiths recommends methods of passwordless authentication to his clients, such as the YubiKey. The Yubikey is a hardware-based device that replaces passwords. It’s a durable, inexpensive and convenient method of strong authentication that can also be used as a USB HID device or NFC.
Network segmentation and the ability to implement network controls allow traffic policy to be implemented for each department and application. By taking advantage of micro-segmentation, a network can introduce finer levels of granular controls within the firewall or perimeter to limit access, and protect against denial-of-service attacks, etc.
Finally, it is essential to secure ALL devices on your network. Allowing unaudited and unpatched devices onto your network has the potential to cause a lot of damage. It was fairly easy to block all devices that weren’t part of your network policies in the past. Still, today’s world involves BYOD (Bring Your Own Device) and other scenarios where users and vendors connect new or unapproved devices to the network regularly. Therefore, organizations must view every user device as a potential threat and limit access to sensitive resources.
Tom McVey, the Solution Architect at Menlo Security, has also said that zero trust can be achieved in the truest sense by using isolation technology. Isolation is a completely new way of thinking about security with a zero trust first mindset. It completely removes the opportunity for any attackers to gain a foothold in the working environment, quite literally barring malicious payloads from their target endpoints.
With isolation, the browsing process is moved from the desktop to the cloud, creating something of a digital ‘air gap’ between the Internet and the endpoint. All content is cleaned and safely rendered from the cloud browser so that when employees go to conduct typical daily tasks, such as interacting with emails and browsing the internet, there is complete peace of mind.
All email and web traffic moves through this isolation layer, where the content is visible but never downloaded to the endpoint. At the same time, the user experience is identical to the one on the desktop, with no impact on performance or interruption in workflow.
However, Pete Smith, archTIS VP and General Manager of EMEA, recently told Top Business Tech that there is a blind spot not currently being addressed. Because of it, we’re likely to see a deflation of the zero trust hype: securing the data itself. Unfortunately, without applying the same principles of zero trust to the data behind the network it protects, we’re still in for a host of data breaches caused by what the security world calls ‘insider threats’. The term covers everything from corporate spies and moles deliberately leaking information or selling it to the highest bidder, through to negligent office workers leaving a laptop on a bus or sharing a file with the wrong email address.
Attribute-Based Access Control
Fortunately, there is a solution to stop data loss from negligent and malicious insiders altogether: Attribute-Based Access Control (ABAC). ABAC extends the zero trust security model to the file level. Instead of being able to access a document on a server automatically because you are already authenticated into the system, it will instead determine whether you can access the file. It will do this by evaluating attributes (or characteristics of data and/or users) to determine a given file’s access, usage and sharing rights.
The advantage of a data-centric ABAC-based security approach is that an individual file’s access rights can be dynamically adjusted based on the sensitivity of the file and the user’s context in real-time to evaluate and validate each file’s attributes. This includes security classification and permissions and attributes such as security clearance, time of day, location, and device type to determine who can access, edit, download, or share a particular file. Like zero trust network architecture, ABAC sets the default to deny access unless these attributes can be validated against business policies governing access and sharing conditions.
If you need any further information around this topic, please search zero trust on the Top Business Tech website, and all of our relevant articles will pop up. I can highly recommend 17 IT leaders on why your organization needs zero trust, with tips on implementation. Our editor Amber spoke to several CTOs, who shared their views on zero trust, and they provided advice on how best to implement it.
To read more articles on cybersecurity click here