The COVID-19 pandemic has had a massive impact on how organizations interact with their employees, partners, and customers — one of the biggest changes being the abrupt shift to remote work following movement restrictions. According to Pew Research Center, about 70 percent of employees currently work from home, at least most of the time. And most of these telecommuters and even their employers are new to the idea of remote work.
The problem with remote work is that it drastically expands the cyberattack surface, introducing new cybersecurity risks that many organizations are unprepared to tackle. In 2020, during the height of the pandemic and remote work, cyberattack incidents skyrocketed across all industries. The 2021 Global Threat Report shows a dramatic increase in interactive intrusion activities throughout the year. Other reports paint the same picture — a worrying spike in malware, social engineering, and ransomware attacks. The main reason for this is the security challenges brought about by remote work.
The role of trust in cybersecurity
Many security experts and analysts cite low threat awareness, rapid digitization, and inadequate security measures as the main reasons for the threats facing remote work. And yes, these are all part of the big picture. But if you look deeper, you’ll find that remote work itself is not to blame for the rampant cybercrime. The truth is, organizations have put too much trust in their employees, third-party partners, and customers at a time when they shouldn’t. Remote work only exposes this oversight and turns it into a critical vulnerability.
More than 80 percent of data breaches in 2020 involved the human element. This includes insider threats, negligence, and innocent mistakes from trusted individuals with a certain level of security clearance.
In cybersecurity, trust basically determines who or which devices have access to protected digital assets. But do you trust that every incoming account login attempt is legitimate or that every device connected to your network should be there? With employees working from home, trust plays an even bigger role in mitigating risks because you never know who could be on the other end of a user account or device.
Misplaced trust can be dangerous and costly. Today, the most effective solution to the trust problem is adopting a Zero Trust security framework.
What is Zero Trust ?
Like the name suggests, Zero Trust is a defensive security architecture that trusts no one and nothing unless verified. It’s a principle that follows one simple rule “never trust, always verify” as opposed to “trust and verify.”
The Zero Trust security model was created in 2010 by John Kindervag, a renowned cybersecurity expert, during his tenure as a vice president and principal analyst for Forrester Research. Since then, the concept has been widely popularized by leading tech and security companies and implemented as a cybersecurity framework basis in countless organizations, including the US federal government.
Kindervag realized that trust was a gaping security vulnerability and designed this new data protection approach to eliminate it. The conventional cybersecurity architecture falsely assumes that everything inside an organization’s network can be trusted. This “broken trust model” also implies that devices and user identities are not compromised and that users can be trusted to act responsibly, which is not always true, especially not with employees working from home.
The principles and technologies behind Zero Trust
Zero Trust does not change the trustworthiness of a system, device, or user; instead, it eliminates trust as a cybersecurity marker altogether. It does this by leveraging a number of techniques and technologies, such as:
1. Preventing lateral movement within a network
Part of the Zero Trust architecture is designed to stop threats in their tracks. Preventing lateral movement means creating barriers between different key segments of the same network. If a threat manages to enter the network through one node, segmented access prevents it from spreading to other systems. There are two main ways you can do this:
• Microsegmentation
Microsegmentation is a sort of divide-and-conquer network security approach. It’s the practice of breaking up large perimeters into smaller independently secured zones. Doing this maintains separate access and protection on different parts of a network. That means entities assigned to one zone may not cross over to other zones.
• Least-privilege access
Least-privilege access is a common Zero Trust security principle. This is where an organization grants the least possible access permissions to a device or user based on the resources they need to complete a job. For instance, an accountant has no business accessing customer information and should therefore have no right to view or manipulate such data. And the same goes for devices, software applications, and web services.
2. Real-time device access control and monitoring
A big part of Zero Trust relies on maintaining continuous real-time surveillance on a network and its connections. In fact, device discovery and access protection form the very core of the Zero Trust architecture. Zero Trust requires that all devices trying to access or already connected to a network be constantly monitored and authenticated repeatedly. Usually, this calls for intelligent network monitoring systems to distinguish between legit users and imposters through behavioural analysis.
3. Multi-factor authentication (MFA)
The traditional username-password sign-on doesn’t cut it in the Zero Trust security model. Multi-factor authentication is the safer and more scrutinizing method for granting user access. It uses at least two pieces of evidence to accurately verify a user’s identity — usually, something they have or know, their location, and even behaviour.
Getting started with Zero Trust
Implementing a Zero Trust security model begins with a plan. Simply throwing technologies such as MFA and microsegmentation into the security framework won’t do much if you don’t have a solid strategy to achieve Zero Trust. Plus, every organization has a unique IT footprint that determines how they define trust. Start by auditing your entire IT infrastructure and developing ways to enforce the idea that nothing and no one should be trusted unless verified.
Remember, the goal of Zero Trust is to be as granular as possible. You may not achieve total Zero Trust throughout the organization, but what’s important is to focus on the areas that really matter. These are:
- Access management
- Device and user discovery
- Network visibility
- Identity verification
- Privilege control
Also, challenges with compliance, legacy systems, and usually might stand in the
way of realizing a 100 percent Zero Trust security framework. But that’s not a problem as long as all the critical access points and scenarios are sufficiently covered with robust Zero Trust measures.
Adopting a Zero Trust security strategy might seem complicated and challenging, but it’s relatively simple when working with the right security partner and solutions. The IBM Security Zero Trust service is a great place to start. You can deploy IBM’s robust solutions based on your security priorities, such as cloud security, insider threats protection, and hybrid work safety. And the good news is, we can help you plan the best security approach and implement all the relevant solutions to support a practical Zero Trust policy for your organization.