Cybersecurity During a Pandemic — It’s Time for Zero Trust
- June 30, 2020
Leave it to cybercriminals to take a bad situation and make it worse. In recent years, tech-savvy fraudsters have made it a “best practice” to launch their attacks during times of crisis — from natural disasters to economic downturns — purposely preying on confused, anxious or desperate people. Their latest trick is to piggyback on the uncertainty of the COVID-19 pandemic, hoping to dupe distracted victims with phishing scams, malware or ransomware attacks, stealing identities and infiltrating businesses. It’s an especially opportune moment for the bad guys, as the global quarantine and mass migration to working from home has cybersecurity resources spread thin.
With individuals and companies at a heightened risk of damaging data breaches, cybersecurity professionals are working overtime to plug holes in their defenses and distinguish friends from foes. For many organizations, their best bet may be a fundamental shift in their security strategy. In short, when you don’t know who to trust, trust no one.
The problem with the old way
Traditional security architecture — defined by firewalls guarding the corporate network — is like a stone wall and moat around a castle. The perimeter is protected, while everything inside the castle walls is considered trustworthy. The trouble starts when an invader sneaks inside the castle and, now seen as a trusted ally, is free to roam around and cause unlimited damage. For many companies, their security architecture is akin to a series of moats around a castle. The center of the castle may be protected by outer rings of security, but as invaders cross each moat, they access increasingly more valuable information, until eventually they reach their ultimate prize. Both approaches suffer from risks.
The vulnerabilities of this trust-based system have only increased as the workforce has become more mobile and more dependent on cloud-based services to work from anywhere, any time, on any device. The pandemic has further exacerbated the situation, with millions of office-based workers suddenly working remotely.
Not only are the attack surfaces larger now, the security threats are more numerous, and the attackers are more sophisticated. Cybersecurity teams are faced with the daunting challenge of verifying every user’s identity, ensuring their devices are uncompromised and the external networks they’re using are secure. Outdated security controls simply can’t keep up with such demands, and when a single authentication gives a nefarious user an all-access pass to corporate data, the consequences can be devastating. Most organizations won’t even detect an attack until well after the damage has been done.
Companies need a way to consistently, reliably and repeatedly verify all users and their activities. And the best way to do that is to abandon the concept of trust altogether. Hence, Zero Trust security.
Defining Zero Trust
Zero Trust isn’t a new concept — the term was first coined by Forrester Research in 2009 and many organizations have been moving in this direction for years. But the need for adoption is accelerating as corporate architecture becomes ever-more distributed.
Just as the name implies, Zero Trust considers everyone and everything to be a threat until proven (and re-proven) innocent. With Zero Trust, identity becomes the core, with more robust methods of repeatedly verifying every user. These can include multifactor authentication (such as entering a password plus another credential, like a verification code sent via text message) that are now familiar to most technology users. But more advanced biometric technologies, including fingerprint and iris readers, and facial recognition software, can remove passwords from the equation and take Zero Trust to the next level.
More strength in security also comes from better visibility of who and what is trying to gain access. Zero Trust uses telemetry to collect information about specific users, devices and applications, and make risk-based access decisions. Furthermore, access can be gated, conditional and timed. For example, based on his identity, a verified user may only be allowed to access a small segment of resources on a need-to-know basis, and for a limited time. Thus, even if a breach does occur, the damage is compartmentalized. This differs dramatically from the traditional approach, which turns over the keys to the kingdom after the first authentication.
Traditional network security is based on Virtual Private Networks or VPN. The VPN is the access point in the castle and moat example. Once authenticated, a remote user is authorized to pass through a firewall and into the corporate network. This model suffers from many challenges including scalability, performance, insecure lateral movement and user experience. But with Zero Trust, we focus on connecting authorized users to specific applications, whether the application is on the corporate network or not.
Security at every step
Beyond just authenticating user identities, Zero Trust takes a comprehensive approach to securing every possible angle of attack. Organizations making a move toward Zero Trust should take these additional aspects into consideration:
- Network access: Today’s employees need to be able to connect to work from anywhere, which often means going through their home network or coffee shop Wi-Fi. Zero Trust assumes those networks have been compromised and takes extra precautions to enable employees to connect securely.
- Information protection: As people increasingly collaborate online with co-workers, customers and business partners, Zero Trust ensures that security travels with the data being shared.
- Intelligent endpoints: With many companies adopting bring-your-own-device policies, maintaining good hygiene on every laptop, phone and tablet becomes a monumental challenge. Zero Trust enables companies to apply more restrictions, control administrator privileges and gain visibility.
- Application security: According to our annual Global Threat Intelligence Report, last year every industry witnessed an increase in application-specific attacks, which now ranks as one of the top attack vectors. As enterprises continue embracing the decentralization of IT and remote work, enterprises must ensure that all applications are sanctioned and comply with their application security governance policies, and in doing so, ensure that the applications are as secure as possible.
Underlying all of this protection is automated monitoring capabilities that are always watching for signs of infiltration, making telemetry-based decisions to shut down suspected attackers with no human intervention required.
Benefits beyond measure
Depending on what report you read, the cost of cybercrime to businesses and economies worldwide ranges from billions to trillions of dollars. But thwarting those attacks can save companies untold fortune by preventing calamitous disruptions, protecting intellectual property and sensitive data, and preserving their public reputation. Needless to say, a more powerful security system can easily pay for itself.
But what does Zero Trust security mean for the employee experience? One might assume that such austerity would create bottlenecks in workflows and deny people the freedom they need to be productive. In fact, it’s just the opposite. For starters, a well-designed Zero Trust model makes life easier for the IT organization. Intelligent automation and password-less authentication mean IT staff can spend less time responding to erroneous threats, patching holes in defenses, and managing endless requests for password resets. The more streamlined approach also allows IT to decrease the number of security products and vendors it uses, reducing complexity and cutting costs.
But the benefits of Zero Trust don’t end with IT — non-technical workers can enjoy a performance boost, as well. While it’s true that heavy-handed, overly restrictive security can be a burden to employees, an expertly implemented Zero Trust system is elegant in its simplicity. With some minor adjustments to their work habits, such as scanning their fingerprints instead of entering passwords, employees often find the new security measures to be faster and easier than before. Like all great digital user interfaces, the sophisticated technologies at work behind the curtain remain all but invisible, giving employees a smooth and satisfying user experience. In the end, that friction-free design not only keeps the company more secure, it improves productivity, enables collaboration and fuels innovation.
The Zero Trust journey takes time to implement well, but as an organization moves forward, it reduces its attack surface and makes it increasingly more difficult for bad actors to infiltrate systems and wreak havoc. Ironically, in the wake of a global crisis, a concept called Zero Trust might just hold the key to building healthier long-term relationships with customers, business partners, and employees.
Find out how NTT DATA is helping to make our clients more secure.
Subscribe to our blog
Sushila has over 25 years of experience in computing infrastructure, business and security, including a decade as a chief information security officer. She has worked in diverse areas across telecommunications and cybersecurity, from risk analysis to credit card fraud to serving as a legal expert witness. An experienced cybersecurity thought leader, she has published numerous articles in the computing press, and presented in global technical events. She plays an active role in supporting best practices and skills development within NTT DATA as well as across the cybersecurity community. Sushila sits on the board of the largest ISACA chapter in the world.