Every step you take in your organization’s zero trust journey reduces your risk of downtime, data breaches and compliance failures, so the time to start implementing it is now, says Bryan Patton. Here he explores why so many organizations are moving to zero trust and how to take your first steps.
Data breach costs have rocketed since the COVID-19 outbreak as businesses abruptly transitioned to remote working cloud-based solutions only to discover their security schemes often lagged behind this rapid technological change – but zero trust security could provide some light at the end of this dark tunnel.
The average cost of a single data breach incident has reached $4.24 million this year, according to a recent IBM report – the highest amount in the 17 year history of the report, and a 10 percent increase on 2020.
Costs rose 19 percent higher than the average for companies undertaking a cloud migration project when hit by a data breach, but the report also reveals a potential solution in the form of zero trust security. Companies which adopted an effective zero trust approach suffered an average data breach of $3.28 million, but this was $1.76 million lower than those that had failed to implement it.
Understandably, everyone is talking about zero trust these days. Microsoft recently announced that it is adopting a zero trust model, and the NSA has issued guidance to help other organizations implement it too.
Zero trust is not a whiz-bang new set of technology, and neither is it a magic-bullet product that you can purchase from Microsoft or some other vendor. It is also not a defined checklist of actions to take, nor a specific procedure you can copy from a website and follow step by step.
Rather, zero trust is a security model for IT environments, which has many different components: user workstations, servers, applications, databases, network devices, and, of course, users.
All this technology and data is no good to anyone if it is completely walled off from the people who need it. That is why one of the central challenges facing any IT team is to ensure that each person can see and use the data, applications, and other resources that they require to do their job but without allowing anyone more access than they need. This also has to be achieved without creating a system that is too onerous to actually allow users to get work done.
A good security model lays out a set of system design principles, controls, and processes for ensuring the so-called CIA Triad, which means the confidentiality, integrity, and availability of your IT assets. With a security model in place, you can design an IT architecture that delivers on your security goals while maintaining user productivity.
Zero trust is not the first or only security model. It builds upon a long history of IT security models.
The pressing reason for adopting it – apart from the shocking figures highlighted above – is that securing an IT environment has become harder over the years. In the past, ‘workstation’ meant a corporate-owned PC with a specific set of applications installed; and connecting to the corporate network required getting through not just the front door of the business but then the door to an office with a suitable PC and a physical connection to the network. Therefore, security models were built around fortifying the perimeter to keep attackers out.
The advent of laptops and then full-on bring your own device (BYOD) along with the necessity to work remotely thanks to the pandemic has changed everything.
Now, users routinely connect to corporate networks remotely using devices that IT has little control over — increasing the chances that attackers will be able to get into the network. Moreover, perimeter-based security ignores the reality of malicious insiders eager to access data, applications, and other resources they should not, as well as negligent or poorly trained employees who can cause just as much damage.
Examples are all too easy to come by. In September 2020, Yevgeniy Nikulin was sentenced to 88 months in prison for hacking into LinkedIn and other companies. From his location in Moscow, Nikulin breached a computer belonging to a LinkedIn employee in the Bay Area and installed software that enabled him to control the machine remotely and use the employee’s credentials to access LinkedIn’s corporate VPN.
Once inside the network, he was able to steal a database containing the credentials of nearly 170 million LinkedIn users — at least 6.5 million of which were published on an underground password forum.
The breach was costly for LinkedIn: In addition to the bill for the services of some 100 engineers who worked for at least six weeks to remedy the problem, it suffered criticism when the world learned that the IDs were originally sourced from a breach in 2012 and then found on sale in 2016. It turned out that the business-focused social network had reset the accounts of a fraction of those affected, not realising the scale of the breach until four years later when it finally reset accounts on a much larger scale. It is now facing ongoing legal expenses to get the password dump taken down.
As incidents like the LinkedIn attack multiplied, organizations were forced to expand their security focus to include the threat of compromised credentials. After all, once an attacker steals a user’s credentials through phishing or other techniques, they have access to the user’s workstation and often can run software that captures the credentials of other accounts. Service and administrator accounts are especially valuable because they enable the attacker to traverse the infrastructure horizontally and vertically and access sensitive data and applications.
To help thwart these types of attacks, Microsoft introduced a reference architecture and best practices called the Enhanced Security Admin Environment (ESAE) — better known by its nickname, Red Forest. This reduces the risk of highly privileged accounts being compromised by separating accounts into three tiers, each with appropriate levels of security protocols.
Tier 0 includes all accounts that have direct or indirect administrative control over the active directory forest, domains or domain controllers and the assets therein. Those accounts are protected by multifactor authentication, as well as best practices like training admins to use privileged accounts only for tasks that require them, and not for things like checking social media or even Microsoft TechNet.
Adopting ESAE does help organizations reduce risk — but this architecture can be very complex and costly to implement. Moreover, it is not a security model, it is just an architecture for protecting on-prem Windows Server Active Directory administrative accounts.
With organizations around the world eagerly embracing the cloud and moving to hybrid IT infrastructures, Microsoft now recommends Red Forest for a limited set of scenarios, such as offline research labs, industrial control systems, and other situations where the need for strong security outweighs the increased complexity and operational cost of the ESAE solution. For everyone else, it recommends a modern privileged access strategy as part of a broader zero trust approach.
It takes only a glance at the headlines to realise it is not wise to assume that anyone who has got past your gates is trustworthy and allow them to wander through your IT ecosystem as they please. In a zero trust network no user, service or other element gets a free pass. Instead, continuous verification is required: real-time information from multiple sources is used to make access decisions and other system responses.
The model does not deny the importance of a strong perimeter. However, it assumes that breaches are inevitable and malicious forces might well be inside your network already. No user or service should be trusted implicitly, and you should be actively looking for anomalous or malicious activity. Implementing a zero trust model can be the difference between suffering a limited hack with insignificant damage or a major incident in which you lose terabytes of critical and regulated data.
One way to see whether this model will add value for your organization is to conduct a thorough audit of your identities, permissions, networks, devices, and applications. Make a list of all the vulnerabilities you find, including overprivileged users, zombie accounts, unpatched devices, and instances of shadow IT.
Adopting a zero trust mindset can help you develop a comprehensive plan for closing those security gaps and build a solid security strategy for the future.
It is essential to understand that zero trust, like any security model, is not something you implement and check off your list, like painting your kitchen. It is more like maintaining and improving your home - an ongoing process that involves a wide range of processes and technologies.
There are however proven frameworks that will help you on your journey. In particular, Microsoft’s rapid modernization plan (RAMP) is designed to help you quickly adopt its recommended privileged access strategy. The goal is to apply the principle of least-privilege to every access decision, allowing or denying access to resources based on the combination of multiple contextual factors, and not just a single earlier authentication. To provide maximum benefit, zero trust principles must permeate most aspects of the IT ecosystem.
Implementing a zero trust model is not an iron-clad guarantee that you will never suffer a serious security incident and the process involves not just effort and expense but risk, since it puts guardrails and speed bumps in place that could slow down business processes and otherwise cut into user productivity.
However, the increase in security is priceless. While continuing with your existing security measures is the easiest path, it is not the wisest option. Every step you take in your zero trust journey reduces your risk of downtime, data breaches and compliance failures, so the time to start implementing it is now.