Russian hackers have taught us that the era of the “trust but verify” approach to cyber security is over.
By Anne-Frances Hutchinson
“What’s a business to do? … Don’t freak out. But do get serious. Gone are the days when the only risk was having sensitive data stolen. Progress begins with you—what data and which systems are most important to your company? Prioritize from there. You can’t build perfect walls, and there is no silver bullet in cybersecurity, so don’t let your CIO or CISO tell you otherwise. You’ll need a diversity of approaches, and those approaches will have to evolve over time. If you didn’t believe it already, believe it now … ”
This advice for the C-suite came from Michael Sulmeyer, cybersecurity project director at the Harvard Kennedy School and former director of Plans and Operations for Cyber Policy in the Office of the Secretary of Defense, addressing how businesses should approach threats from Russian hackers and other state actors.
Despite the inexorable progression of cybercrime since Sulmeyer proffered his guidance, it still holds up. What has collapsed in the aftermath of the FireEye-Solarwinds catastrophe is certainty. The lesson of this moment is no longer as subtle as it was four years ago, or even four months ago. It is stark and irrefutable: Trust no one.
“Organizations need to start thinking about a security methodology that relies less on blocking specific traffic by policy and actively moving towards a zero trust, positive security model that explicitly states which traffic between users and hosts can be allowed, or whitelisted,” said Tempered Networks CTO Bryan Skene in TechRepublic.
Introduced in 2010 by former Forrester principal analyst John Kindervag, the zero trust security model is rapidly gaining adherents. “Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access,” Mary K. Pratt of CSO explained.
The perimeter-centric approach to security that was the norm when Sulmeyer gave his advice is no longer viable because digital businesses have no perimeters. Instead, the zero trust approach meets security issues where they live now, in ecosystems where customers, employees, and vendors connect to data. When data moves, so does its security.
“As you extend your business into the cloud; outfit retail locations with beacons, facial recognition, and mobile point-of-sale solutions; and digitize physical environments with internet-of-things (IoT) components like sensors, telehealth devices, and connected cars, you dramatically expand your potential attack surface. The attack surface constantly changes with the movement of employees, customers, partners, and suppliers,” according to Forrester’s 2021 Zero Trust Playbook.
They add, “A Zero Trust approach never assumes trust; instead, it continuously assesses ‘trust’ using a risk-based analysis of all available information. It fundamentally shifts the focus from the network perimeter to an organization’s critical applications and data itself and marshals the functions of many security domains—such as network, identity, and application—into a unified data protection strategy.”
The model can help businesses meet their most critical objectives more securely in several areas, including the protection of corporate reputations, and reducing the opportunity for breaches, thus giving customers a higher level of confidence and loyalty.
Increased data security and privacy helps to build and keep customer trust. “Zero Trust requires you to clearly identify sensitive customer data, isolate it in its own microperimeter, restrict access to it, and protect it with encryption and other security controls that apply protection to the data itself.”
The model also can help security pros better protect intellectual property by consolidating security controls, policy, and management. “This approach, together with data protection technologies such as encryption, secures the firm’s most sensitive and revenue-generating data assets—wherever employees store, access, copy, or transfer them.”
While zero trust has gained significant interest since the FireEye-Solarwinds hack, the ultimate global disruptor is speeding up its adoption. “(P)andemic-driven disruption resulted in many organizations digitally transforming, accelerating cloud migration, and realigning workforce connectivity and management. These fundamental shifts can also increase an organization’s attack surface, driving the need to take a more modernized and agile approach to managing cyber risk,” said Deloitte Risk and Financial Advisory principal Andrew Rafla.
A recent Deloitte survey of over 595 respondents in organizations that have or plan to adopt the model found that the pandemic accelerated (37.4%) or didn’t slow down (35.2%) zero trust efforts. Over 35% employ the model for its ability to help businesses manage risks such as remote work and insider threats; nearly 25% use it to reduce the risk of threats from third parties such as vendors and suppliers, and over 20% indicated it helped ameliorate cloud risk.
Rafla pointed out that misconceptions exist about the complexity of embracing zero trust. “Getting started doesn’t mean a wholesale rip-and-replace effort is needed on the technology side, as existing and planned investments likely align at some level to the Zero Trust concept of least privilege,” he said.
“Rather, organizations should get a clear understanding of what needs to be protected, taking a use-case-driven and iterative approach to adoption that aligns with business objectives. Further, organizations should understand that Zero Trust is not dependent upon or solely focused on cloud environments—the concept can be applied to on-premise environments as well.”
“Zero Trust isn’t just a technology issue that you can buy a quick solution for, it’s an organizational change management issue that requires top leadership—led by CISOs, CIOs, and CTOs—to be involved in the proactive, holistic effort so that true success can be realized,” Rafla concluded.