Breaches and data theft have become all too common. Last year, cybersecurity researchers found a file on the Dark Web containing 1.4 billion username and password combinations that had been collected from sites such as LinkedIn and Netflix, and from popular online games. The file was in plain text, meaning one didn’t need to be a sophisticated cyber-criminal to use it to log into other peoples’ accounts.
That’s frightening. And it gets worse.
According to New York University’s Program on Corporate Compliance and Enforcement, security breaches and hacking are now costing publicly-traded companies billions. A 2018 Ponemon Institute study puts the average cost to a business of a data breach in 2018 at $3.86 million, a year-on-year increase of 6.4%.
The cost of breaches and data theft is high for everyone, and the saying—“There are two types of organizations: those that have been hacked and those that don’t know it yet”—has never been truer. As America’s first cybersecurity czar, Richard Clarke, said all the way back in 2010, “It’s almost impossible to think of a company that hasn’t been hacked.”
Traditionally, companies have attempted to foil attackers and prevent breaches by strengthening their network’s perimeter defenses. However, the growing use of cloud applications – which effectively extends an organization’s network outside its perimeter – combined with the relative ease with which many perimeter defenses, even sophisticated ones, have been breached, means that organizations can no longer count on them. This reality is forcing organizations to re-think their approach to cybersecurity.
In today’s environment, the network can no longer be considered a safe zone. In fact, there is no safe zone. Every asset an organization possesses and every transaction it conducts must be secured as if it were a standalone item continually exposed to the full range of cyber threats. This understanding that perimeter protection alone is not sufficient has increasingly led to the security concept of Zero Trust. Building a secure Zero Trust Organization is based on a never-trust/always-verify approach to all entities and transactions in which multiple solutions work together to secure digital assets.
The Zero Trust concept was first introduced by Forrester in 2010. Sila, through its extensive work with both government and commercial organizations across a range of industries, has come to understand that for Zero Trust to be effective, security must be applied in an integrated manner at four levels: the user, the application, the data and the network.
We will explain how to secure those four levels in succeeding articles focused on each level, but first, what does a Zero Trust Organization look like?
The Distinguishing Features of a Zero Trust Organization
In a Zero Trust Organization, there are four levels – the user, the application, the data, and the network – that must be secured, as described in Table 1.
In a Zero Trust Organization:
- Access to services is authenticated, using strong and step-up authentication (in which more critical data is accessed through more rigorous authentication methods) where necessary
- Applications and data, including unstructured data sources, are separately protected
- Cloud security is accorded the same importance as on-premise network security
- Advanced analytics and machine learning are widely used for better detection of threats and breaches
Creating a Zero Trust Organization is a four-step process:
- Establish strong identity governance and authentication
- Establish centralized privileged access management
- Ensure application security and data governance (including unstructured data)
- Develop better network and cloud security
Although these four steps may seem a massive and costly undertaking, not all data and not all business processes are equal, and therefore do not demand equal levels of security. A delivery person’s route, for example, is less important to a business than the personally identifiable information (PII) of the delivery person’s customers.
Establish Strong Identity Governance and Authentication
In a Zero Trust environment—where access to every resource is authenticated—investments in digital identity and its supporting processes play a foundational role. Strong identity governance establishes a repository of trusted identities and validated accesses that informs every other security process.
Authentication, applied to every transaction, is the bedrock of a Zero Trust Organization. Authentication ensures that access is granted only to trusted users and accounts and ensures that the principle of least-privilege is followed. For instance, that delivery person needs to know the customer’s address; he or she does not need to know the customer’s purchase history.
Complex environments require authentication to be escalated with increased risk. For example, an account that can access a critical data repository from corporate headquarters must not be able to access the same data over the internet from a rogue nation state or an airline terminal at two in the morning without additional validation. A Zero Trust architecture automatically recognizes varying levels of risk and deploys risk-based adaptive authentication solutions, such as multi-factor, as appropriate.
Establish Centralized Privileged Access Management
In a Zero Trust Organization, care must also be taken to protect direct access to sensitive and critical data and hosts, and effective governance and lockdown of privileged accounts has heightened importance.
When compromised, privileged accounts can expose sensitive data to theft, allow malware to be installed on devices and on networks, and harm an organization’s operations, financials, and brand value. Forrester estimates that 80 percent of security breaches involve privileged credentials, the majority belonging to the network professionals employed to administer and secure those assets.
In a Zero Trust Organization, effective governance locks down those privileged accounts; they are continually questioned and instantly revocable. Administrative traffic is funneled through a centralized privileged access management system, ensuring the effective implementation of an organization’s cybersecurity policies. Privileged access management represents a “chokepoint of trust” and immediately adds significant value in improving the organization’s security posture.
Protect All Applications and Data
Applications and their data are the lifeblood of digital enterprises. Common application security controls, software assurance, threat modeling and vulnerability management practices protect applications, hosts, databases, and the structured data stored within them, and these controls are applied consistently and comprehensively in a Zero Trust Organization.
However, by most estimates, 80 percent of a typical organization’s data resides outside those applications, in files on network and cloud folders, in enormous and ever-increasing volumes that are difficult to read and manage. Historically, that data has been neglected, exposing it to loss and theft. In addition to restricting access to them to trusted identities and privileged accounts, other data protection measures are applied that safeguard them from inherent vulnerabilities, exposures and external threats.
Develop Better Network and Cloud Security
Networks connect users, applications and data, and in a Zero Trust Organization the cloud should be treated as part of that network… an increasingly critical one. According to IDG, 90% of companies will have part of their applications or infrastructure in the cloud by 2019, and the remaining 10% by 2021. That includes a great deal of business-critical data.
Traditional perimeter defenses remain important to protect the organization from external attacks, but in a Zero Trust Organization those defenses are augmented by sophisticated network security monitoring and analytics-driven threat detection. Traditional defense-in-depth at the perimeter of the enterprise network is still valuable and necessary, but, in a Zero Trust Organization, protections at the user, application and data level are equally important.
So is cloud security. To protect cloud access, the Zero Trust Organization monitors cloud activity and gateways, and strongly authenticates access.
Achieve Better Protection at Each Level Through Advanced Analytics
Inherent to each of the solutions is the need to achieve better protection through better detection.
Security operations increasingly are using available data for improved detection and to make their infrastructures more resilient. Analytics and machine learning can yield breakthroughs in threat detection and incident response, and significantly improve an enterprise’s overall security posture.
The infrastructure of today’s increasingly digital enterprise is complex and virtually impossible to protect without advanced analytics and machine learning. These tools allow an organization to proactively detect attacks, reducing the time it takes them to respond and recover from breaches. According to the Ponemon Institute’s 2018 report, the average cost of a breach for organizations that fully deploy security automation is $2.88 million; without that automation, the estimated cost is $4.43 million.
Advanced analytics and machine learning need a technical infrastructure that can store and manage large volumes of diverse, real-time and historical security data. The ROI of these infrastructure investments will be realized quickly in many ways, including the reduced number and cost of breaches. And in place of the reputational harm of being breached, organizations will reap the reputational benefit of being known as a more secure organization.
Why Half-Measures Won’t Work
In a Zero Trust Organization, security measures are applied at the user, application, data, and network level, and all are given equal importance. These solutions together enhance overall effectiveness. For example, a foundation of trusted identities can help protect unstructured data sources and inform cloud security measures. Behavior analytics can predict user actions and thereby better protect application, data and network assets. Just as integration is key to business efficiency, Zero Trust Organizations know that only integrated security solutions can protect against today’s complex threat environment.
Zero Trust is an approach to cybersecurity that helps organizations adapt today’s technology environment to the threat landscape, reduce risk, increase security, and lower costs. It is a paradigm shift, but one that does not necessarily require organizations adopt new, costly, breakthrough technologies. It does, however, encourage them to focus on the right areas to protect themselves in a more comprehensive fashion.
In the next article, we look in more detail at Authentication and Identity Governance.