Never Trust, Always Verify to Improve Data Security
As technologies and threats evolve, so must protection techniques.
In today’s environment, the network no longer can be considered a safe zone. Every asset an organization possesses and every transaction it conducts must be secured as if it were a standalone item continually exposed to the full range of cyber threats. The realization that perimeter protection alone is not sufficient has led to the security concept of Zero Trust. In this never-trust/always-verify approach, all entities and transactions rely on multiple solutions to work together and secure digital assets.
Breaches and data theft have become all too common. A little over a year ago, cybersecurity researchers found a file on the dark web containing 1.4 billion username and password combinations that had been collected from sites such as LinkedIn and Netflix as well as from popular online games. The file was in plain text, so hackers didn’t need to be sophisticated cyber criminals to use it and log into other peoples’ accounts.
The threats are worse for corporations and federal agencies. According to New York University’s Program on Corporate Compliance and Enforcement, security breaches and hacking are now costing publicly traded companies billions of dollars. A 2018 Ponemon Institute study puts the average cost of a data breach to an organization in 2018 at $3.86 million, a year-on-year increase of 6.4 percent. Of the more than 100 information technology security professionals from U.S. federal agencies surveyed in the federal government edition of the Thales 2018 Data Threat Report, 57 percent reported a breach in the previous year.
One maxim has never been truer: There are two types of organizations: those that have been hacked and those that don’t know it yet. As America’s first cybersecurity czar, Richard Clarke, said in 2010, “It’s almost impossible to think of a company that hasn’t been hacked.”
Traditionally, organizations have attempted to foil attackers and prevent breaches by strengthening their network’s perimeter defenses. However, the growing use of cloud applications, which effectively extend an organization’s network outside its perimeter, combined with the relative ease with which even sophisticated perimeter defenses have been breached means that organizations can no longer depend on them. This reality is forcing organizations to rethink their approach to cybersecurity.
Forrester introduced the Zero Trust concept in 2010. For the approach to be effective, security must be applied in an integrated manner at four levels: user, application, data and network. Access to services is authenticated using strong and step-up authentication; highly critical data is accessed through more rigorous authentication methods. Applications and data, including unstructured data sources, are protected separately. Cloud security is accorded the same importance as on-premise network security, and advanced analytics and machine learning are widely used for better detection of threats and breaches.
Creating a Zero Trust organization is a four-step process. An organization must establish strong identity governance and authentication; institute centralized privileged access management; ensure application security and data governance, including unstructured data; and improve network and cloud security.
Although these steps may seem a massive and costly undertaking, not all data and not all business processes are equal, so they do not require the same levels of security. A delivery person’s route, for example, is less important to a business than the personally identifiable information of the delivery person’s customers.
Investments in digital identity and its supporting processes, which is the first step, play a foundational role. In a Zero Trust environment where access to every resource is authenticated, strong identity governance establishes a repository of trusted identities and validated access points that informs every other security process.
Applying authentication to every transaction is the foundation that ensures access is granted only to trusted users and accounts and the principle of least privilege is followed. For example, the delivery person needs to know the customer’s address but does not need to know the customer’s purchase history.
Complex environments require authentication to be heightened as risk increases. For example, an accountant who can access a critical data repository from agency headquarters must not be able to access the same data over the Internet from a rogue nation-state or an airline terminal at 2 a.m. without additional validation. A Zero Trust architecture automatically recognizes varying levels of risk and deploys risk-based adaptive authentication solutions such as multifactor.
In step two, establishing centralized privileged access management, organizations must protect direct access to sensitive and critical data and hosts. Also, the importance of effective governance and lockdown of privileges increases.
When compromised, privileged accounts can expose sensitive data to theft, allow malware to be installed on devices and within networks, and harm an organization’s operations, financials and reputation. Forrester estimates that 80 percent of security breaches involve privileged credentials, the majority from the network professionals employed to administer and secure those assets.
In a Zero Trust organization, effective governance locks down those privileged accounts. They are continually questioned and instantly revocable. Administrative traffic is funneled through a centralized privileged access management system, ensuring the effective implementation of an organization’s cybersecurity policies. This technique creates a “chokepoint of trust” and immediately adds significant value in improving the organization’s security posture.
The third step in creating a Zero Trust organization is to protect all applications and data. Common application security controls, software assurance, threat modeling and vulnerability management practices protect applications, hosts, databases and the structured data stored within them. These controls are applied consistently and comprehensively in a Zero Trust organization.
However, by most estimates, 80 percent of a typical organization’s data resides outside those applications. It is found in files on the network and cloud folders, in enormous and ever-increasing volumes that are difficult to read and manage. Historically, that data has been neglected, exposing it to loss and theft. In addition to restricting access to this information, trusted identities and privileged accounts, other data protection measures are applied to safeguard them from inherent vulnerabilities, exposures and external threats.
The final step to creating a Zero Trust organization is to develop better network and cloud security that acknowledges that networks connect users, applications and data. The cloud should be treated as an increasingly critical part of the network. According to IDG, 90 percent of companies will have part of their applications or infrastructure in the cloud by 2019 and the remaining 10 percent by 2021. That is a great deal of business-critical data.
To protect cloud access, Zero Trust organizations monitor cloud activity and gateways and strongly authenticate access.
Inherent to each of the solutions is the need to achieve better protection through better detection. This can be accomplished through advanced analytics.
The infrastructure of today’s increasingly digital enterprise is complex and virtually impossible to protect without advanced analytics and machine learning. These tools allow an organization to proactively detect attacks, reducing the time it takes them to respond to and recover from breaches. According to the Ponemon Institute’s 2018 report, the average cost of a breach for organizations that fully deploy security automation is $2.88 million; without that automation, the estimated cost is $4.43 million.
Advanced analytics and machine learning need a technical infrastructure that can store and manage large volumes of diverse, real-time and historical security data. The return on investment of these infrastructure investments will be realized quickly in many ways, including the reduced number and cost of breaches. And, in place of the reputational harm of being breached, organizations will reap the reputational benefit of being known as secure.
Half-measures won’t work. In a Zero Trust organization, security measures are applied at the user, application, data and network levels, and all are given equal importance. Combined, these solutions enhance overall effectiveness. For example, a foundation of trusted identities can help protect unstructured data sources and inform cloud security measures. Behavior analytics can predict user actions, thereby better protecting application, data and network assets. Just as integration is key to business efficiency, Zero Trust organizations know that only integrated security solutions can protect against today’s complex threat environment.
Zero Trust is an approach to cybersecurity that helps government agencies and corporate enterprises adapt today’s technology to the threat landscape, reduce risk, increase security and lower costs. It is a paradigm shift but one that does not necessarily require organizations to adopt new, costly, breakthrough technologies. It does, however, encourage them to focus on the right areas to protect themselves in a more comprehensive fashion.
Cathy Hall is a cybersecurity expert and privileged access management practice lead at Sila.