Cyber risk has been the number one concern in executive surveys for the last four years. In this regular feature, the information security professionals at Global Relay deliver a guide to everything that the C-suite should know but might be afraid to ask, and should be afraid not to know! This issue, we turn the spotlight on zero trust.
This has been the year of the cyberattack. Fast food companies, schools, utilities, computer manufacturers, insurance companies, broadcasters have all fallen victim to ransomware attacks, data leakages, and other criminal activity.
The situation got so bad that US President Joe Biden signed an Executive Order (EO) in May, requiring federal government agencies to work with private sector companies to protect their networks with stronger cybersecurity measures.
The EO contains seven actions:
- Remove barriers to threat information sharing between government and the private sector
- Modernize and implement stronger cybersecurity standards in the federal government
- Improve software supply chain security
- Establish a cybersecurity safety review board
- Create a standard playbook for responding to cyber incidents
- Improve detection of cybersecurity incidents on federal government networks
- Improve investigative and remediation capabilities.
At the center of the second action – to modernize and strengthen cybersecurity standards – sit four security tools: secure cloud services, zero trust architecture, multifactor authentication, and encryption. Any organization aiming for cybersecurity best practice should be using them; creating a zero-trust environment is perhaps the most complex, requiring a three-pronged approach to people, process, and technology.
What is Zero Trust?
Traditionally, organizations have taken a perimeter-guarding approach to security, assuming that people able to access their networks are trustworthy and giving them almost unfettered freedom of movement within those networks. That may have worked in the past but cybercriminals’ increasing sophistication and the number of attacks coming from inside organizations mean that a new, more stringent approach is needed.
This is where zero trust comes in. The National Institute of Standards and Technology (NIST), in its Special Publication on zero trust architecture, describes it as a “cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continuously evaluated.
“Zero trust architecture… encompasses identity (person and non-person entities), credentials, access management, operations endpoints, hosting environments, and the interconnecting infrastructure. The initial focus should be on restricting resources to those with a need to access and grant only the minimum privileges (eg read, write, delete) needed to perform the mission.”
Computers are simply tools, and if you focus on controlling them, you won’t achieve zero trust. The key is to focus on the people using those computers, and control the amount of access they have to your systems by applying two principles: the principle of least privilege and the principle of separation of duty.
Principle of Least Privilege
This is the principle of allowing the people who use your systems to have just enough access to be able to do their work. For example, if I hire someone to come to my home to clean my bathroom, I don’t allow them to go into my bedroom – because they don’t need to be in my bedroom to clean my bathroom. They just need access to two things – the bathroom and the cleaning supplies.
If I store the cleaning supplies in my bedroom, then I have to either give the cleaner access to my bedroom or move the cleaning supplies to somewhere in my house that I’m happy to give the cleaner access to.
Principle of Separation of Duty
This is the principle that no one person should be able to enact an entire chain of events.
Critical events like a missile strike cannot be initiated by one individual; if they could, people’s unpredictability would not make it easier for us to sleep at night, knowing that there are no checks and balances in place to stop them launching missiles on a whim.
Managing and Controlling Access
Once you have those principles in place, you then turn your attention to controlling who has access to your system, how much access they have, and what type of access they have.
These days, the danger of cyberattacks is increasingly coming from within organisations, so it’s becoming increasingly vital to manage and control employees’ access to important systems. This involves identifying users with tools such as multifactor authentication, facial geometry, or fingerprints, and then controlling how they move through a system by requiring identification at every turn.
Being a trusted agent provides the quickest way into any organization’s vital systems. The answer is to trust no one, so that you can protect yourself against internal and external threats.