The present environment of increasing cyberattacks has many organizations racing to patch holes and fortify their defenses. If you’re looking for maximum security to protect privacy and other valuable assets, the Zero Trust security framework may be the ultimate solution. Under this security philosophy, every interaction between every person, device, application, and server must not rest on any assumption of trust. Every transaction must be verified before data or other assets are released.
At the moment, you can’t simply buy Zero Trust security (ZT). It isn’t a single product or a service. It’s a prescriptive methodology for how cyber systems should work. It may involve a number of different technologies and policies, including role-based access control, inventory tracking, multifactor authentication systems, and auditing. While you can’t simply buy your way to Zero Trust security, many companies have created products and services that make it easier to build your way to total security control. See this list from SC Magazine if you’re looking for a starting point in implementing ZT in your networks.
If you own a small or medium-sized business (SMB), this all may seem quite a bit over the top. But according to Verizon, small businesses account for 43% of data breach victims. With this year’s sudden increase in employees working from home and organizations adopting Bring-Your-Own-Device policies to compensate for the unavailability of computing options, most organizations’ attack surface area has drastically increased. The risk to SMBs has risen sharply, since their access to sophisticated security controls is typically lower. But not to fear, ZT implementation can offer a great deal of protection against spear phishing and lateral network movement in the new surfaces of your network. And it doesn’t have to cost an arm and a leg.
Whereas the Principle of Least Privilege (PLP) grants access and permissions according to a person’s role or duty, allowing that person to act freely within the bounds of their function, ZT requires that every action taken be verified as authentic or authorized. This makes it much more likely that unauthorized actions hidden among legitimate behaviors will be detected and stopped at the first sign.
This may sound tedious and time consuming, but when implemented using available ZT network protocols, the result seen externally by humans is almost indistinguishable from ordinary computer use.
For example, the Host Identity Protocol (HIP) extends the IP address system to include public key encryption for verifying the identity of network users. This also represents a new layer in the TCP/IP stack that effectively decouples the transport layer from the Internet layer and binds address space to identity. In plainer terms, unauthorized users can’t access a secure site without cracking public key encryption first because they must allow HIP to bind their identity to their IP address using public key encryption. This is a starkly different treatment of IP addresses compared to how most of the Internet works at present, where an IP address cannot be reliably assumed to equate to identity without a great deal more evidence.
Excepting zero-day attacks that rely on high technical manipulation of discovered design flaws, robbery, vandalism, and natural disasters, virtually all modern cyberattacks can be prevented by adhering to ZT principles. So why isn’t ZT being implemented everywhere?
For most people who use computers every day, convenience is a major factor. Do you have two-factor authentication turned on for your email account? Would you be fine with completing 2FA prompts every time you log in, on any device, no matter what? How about every time you open an email? Open an attachment? Send an email? Delete an email? How far people are willing to take ZT is a balancing act between security and convenience. That’s why it’s critically important to seamlessly integrate ZT into basic protocol layers and core systems where human priorities can’t interfere with their function.
And it’s equally important to support organizations engaged in research and development that bring ZT to new areas of network infrastructure and computing in general. Check out some projects from these organizations who have done some great work in implementing Zero Trust:
- The Internet Engineering Task Force: Host Identity Protocol
- The Cloud Security Alliance: Software-Defined Perimeter
- Centrify: Zero Trust Privilege
- Cisco: Cisco Zero Trust
- Cloudflare: Zero Trust Application Access
If your team is ready to take steps toward Zero Trust security policies, you’ll also want to know that your network endpoints are secure. Don’t blindly trust that your devices are protected. With new zero-day attacks always around the corner, consumer antivirus software is not sufficient to protect your business. With breach and attack simulation, you don’t have to wait to get attacked to find out if your systems are vulnerable. Our platform allows leaders in IT and cybersecurity to orchestrate verification of any virtual image against a library of cyber threats that pose the greatest threat to your goals. Our team of engineers is also actively engaged in research to produce new zero-day attack patterns to keep you protected from future exploits. Request a demo of our breach and attack simulation platform today.
Do you want to learn more about cybersecurity? Please subscribe to our newsletter.