Why companies need to implement a ‘zero trust’ approach to their cybersecurity model
People tend to trust too much, and that’s especially true when it comes to security. Companies need to adopt a zero-trust cybersecurity model if they want to protect against today’s cyber threats. As the cybersecurity landscape changes, as new threats evolve and emerge, companies need to do a lot to stay on the bleeding edge. One of the things companies need to do is forget trust.
It sounds odd, the zero-trust cybersecurity model, because we all think about trust and trust is so important for all of us. And just the name of this thing kind of is an oxymoron in terms of making sure people understand what it is. But let me explain what zero trust cybersecurity is in very simple term: We inherently trust too much in our environment and our inclination to trust too many things has really led to us relying upon forms of security which are really not helping us in the new world order.
Think of it in the old-world order; you had a firewall which was a perimeter. We used to trust that the firewall was going to keep the bad guys out, but the reality is that the bad guys are already in our environment. Also, the reality is that we’ve got a lot of mobile workers and we’re using stats and infrastructure as a service so a danger is also not residing within the walls that the firewalls were previously protecting.
So that model has got to change. And going back to the word trust, we cannot trust a firewall anymore just by itself, and we’ve got to now really think of a world where we can’t trust these elements of security and we’ve got to go to a model where we explicitly trust things. So instead of implicitly trusting, we’ve got to go to explicitly trusting.
“We Cannot Trust A Firewall Anymore..”
Let me give you a kind of a funny example. When you’re at home and you’re sleeping in bed, you inherently trust your environment because the front door’s locked, the windows are locked, and so forth. But just imagine now that the windows were open and the doors were open. How would you think about security at home? And I’d like to think that we’d probably put a lock on our bedroom door, right? And that’s kind of the mindset that the IT professional has to think about now as well. Instead of relying on that firewall, which I’m not saying get rid of the firewall, but instead of relying on that firewall, we have to start explicitly trusting things within our environment.
First Component Of Zero-Trust Cybersecurity
So, let me first walk you through the key components of zero trust. So, the first component of zero trust is knowing the user, really understanding who the user is in your environment. And as you know, we typically understand users today by their username and password, which is a really primitive way of understanding who a user is. What we really need to implement within our environment is better ways of understanding who that user is. Technology like multi-factor authentication. It can help us understand who this particular person is coming into the environment. So that’s the first element of zero-trust, understanding the user. All about identity.
Second Component of Zero-Trust Cybersecurity
The second component is knowing their device that they’re using to connect into the network. So typically, we use one of these things to access our network. So, it’s coupling knowing the user and knowing their device. So, when I say know their device, understand the security posture of their device. So, if you’re using a mobile phone, let’s make sure it belongs to Bill. Let’s make sure it hasn’t got any kind of vulnerabilities on it. If you’re using a Windows machine, let’s make sure it hasn’t got a virus on it.
So fundamentally it’s about making sure that that endpoint that’s used to connect into your environment is got a certain amount of security posture, and it’s worthy within the environment. So that’s the second element. First one, knowing the user, second, knowing the device.
Third Component of Zero-Trust Cyber Security
The third component is once the person has access to something, let’s say this person Bill has access to Salesforce.com, or let’s say this person Jane has access to a windows machine running on QuickBooks, let’s make sure that there’s the least amount of access and privilege on that said resource. So, if Bill’s a salesperson and he’s just a salesperson, that he’s not a regional manager, he should not be able to see everything within Salesforce same for Jane. But it’s a very simple concept. It’s a concept that most security professionals should understand the concept of least privilege. Giving people the least amount of access to do their job.
And then lastly is learning from all these three elements – the user, the device, the least privilege, and adapting your policies. So, it’s a constant learning and adapting, changing the policies.
“Hacked Passwords Cause 80% of Breaches”
So how do organizations shift to this model? A lot of organizations spend time on classic cybersecurity technologies, you know, firewalls, anti-virus, intrusion detection, et cetera, vulnerability management, and so forth which I recommend is needed as a foundation. But if you look at all the data out there, Verizon breach report states that 80% of most breaches are due to compromised credentials. In other words, like stealing our passwords to log in to an environment and then steal information and so forth.
A lot of mid-size companies are still grappling with just simple passwords. So that’s the first thing I would recommend everybody needs to do within their organization is implement least privilege. And then secondly, implement the least privilege model where you really limit access and privilege within the environment.
I think the only pragmatic approach that organizations really need to apply today is to follow the zero-trust cybersecurity model. It’s a very prescriptive model. It’s based upon real data in the marketplace, from companies like Verizon and others which are really assessing a lot of vulnerabilities and a lot of breaches, and are fundamentally coming down and trying to say to the industry that they need to focus on the identity problem.