Cyber

Zero Trust – better to be safe than sorry

by Mark Rowe

Every user can pose a security risk, says Rashid Ali, Enterprise Solutions Manager at cyber-security firm WALLIX.

A data breach making headline news no longer comes as a shock to many of us. However, it does reinforce the message that protecting data and knowing exactly who has access to it and when is fundamental. Especially in light of GDPR and other regulations, as a spotlight is starting to be shone on the businesses that are not compliant. So how can organisations implement a policy that will enable them to do just that?

The challenge is that cyberattacks often come in all shapes and sizes, but there is an astonishing number of data breaches (more than 80% according to the Forrester PIM Wave 2018 Report) that are still accomplished through misuse of privileges. Organisations need to have visibility of not only all the data and where it is stored, but who has access – from employees and contractors through to third party suppliers. Applying a Zero Trust model will enable organisations to take steps to achieve this.

As naming goes, Zero Trust is what it says on the tin. No one is trusted implicitly when it comes to identity, access and data. In terms of cybersecurity, organisations should trust no one to have full and complete access to all the company data, no matter how senior. That’s not to say, of course, that users should never be granted privileged access to network resources as that would be unworkable, but a security scheme should be in place, which constantly requires users to not only prove who they are, but also to prove that they have both the need and authorisation to access sensitive resources before entry is granted. Other security paradigms have, to date, assumed that activity is legitimate until proven otherwise: but it’s better to be safe, than sorry.

With a holistic Zero Trust system, the assumption is that no activity is legitimate by default. Everything requires proof to the contrary before allowing privileged access to sensitive resources. Zero Trust demands equal opportunity verification of credentials, identity, and permissions. It’s important to note that Zero Trust does not assume that all users are bad actors; rather, it simply requires that “proof positive” be provided to confirm that the access is authorised.

Every business wants to do well and in today’s changing landscape maintaining competitiveness and profitability is tougher than ever before. Everyone you work with is a potential security risk: from employees, partners, vendors, suppliers and subcontractors, to logistics and supply chain contacts. Even if they do not know it. The reality is that no organisation whether large or small is immune to data breaches. And every sector from finance and government through to manufacturing and retail needs to safeguard data. No organisation wants to be next in the headline and as the Capital One data breach showed the financial impact can be millions, and this doesn’t even include all the lost credibility and impact reputation.

The risk from this type of data breach is on the rise, with the latest Verizon Data Breach Investigations Report (DBIR) confirming the breadth of the problem, showing an increase in privileged misuse. While in some cases this can be deliberate with employees causing harm, privileged credentials can also be unknowingly stolen by cyber criminals – meaning even the most trusted employees can cause harm, for example by simply clicking on a malicious link. Looking back at Capital One data breach, it was a misconfigured firewall which allowed hackers to steal the details of privileged users, giving them access to bank account numbers, social security numbers and credit card applications. With a Zero Trust model this threat can be eliminated.

Unfortunately, the threat from privileged misuse is not going away anytime soon, and with the transition almost overnight to a 100% remote workforce due to the pandemic, the threat will have only heightened. We are already seeing industry reports confirm a rise in cyber-attacks, and with users working remotely, new employees starting virtually, furlough schedules and contract workers filling any gaps, it is imperative organisations maintain data security. Not deploying Zero Trust measures could have very real implications, like a remote employee not using a secure connection or an unapproved memory stick which accidentally invites malware into the system.

Through a Zero Trust model organisations can combat the threat of both external and insider threats, not only safeguarding the business from financial and reputational damage but giving employees peace of mind to continue to work freely without the worry that they will unknowingly cause damage.

With a privileged access management platform that follows the Zero Trust model, organisations will not only be able to verify access based on the user, but security can be bolstered also taking into consideration other requirements such as the time of day and location of the user – flagging any red herrings. This allows organisations to create their own filters, giving employees the freedom to continue working, with access to the data they need, when they need it, but under an added security net.

Simply giving all users complete blanket access to data is negligent and cyber criminals will look for ways to exploit this. Organisations are now accountable and have a duty to protect customer data, so it is imperative businesses start to bolster their security against privileged misuse.

Related News

  • Cyber

    Countering data breaches

    by Mark Rowe

    Countering data breaches is not all about technology, writes Mike Simmonds, pictured, managing director, Axial Systems. When Bring Your Own Device (BYOD)…

  • Cyber

    Profile of a hacker in 2017

    by Mark Rowe

    David Emm, pictured, principal security researcher at Kaspersky Lab, looks at what are the cyber threats in 2017. The starting-point for understanding…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing