For decades, information security practices have been built around the basic concept of "implied trust" - the idea that users and devices operating within the network can be trusted. It has become a terribly flawed concept.
Risky behaviors by assumed trusted insiders has led to an exponential increase in cyber threats. Cybersecurity Insiders’ research suggests that more than 60 percent of organizations actually faced of insider threat in the last year, while 75 percent said they have never felt more susceptible to these kind of threats than they do right now.
Because of these factors, organizations are turning to a zero-trust security concept, assuming everything and everyone accessing your network is a threat until proven otherwise. Zero-trust implementations doubled last year, and 97 percent of organizations plan to have one in place within the next 18 months, according to Okta’s 2022 State of Zero-Trust Security Report.
Zero trust assumes everyone and everything accessing network resources is a threat until their identity has been verified and validated. It also enforces the principle of least privilege access — once verified, users are granted only the minimum amount of access necessary to perform their job functions.
It’s important to keep in mind that zero trust is not a technology product, but a framework for using a variety of solutions to enforce continuous verification of all users and devices. The framework does require the use of some specific technologies to be implemented across the following five distinct pillars, as described by the federal government’s Cybersecurity and Infrastructure Security Agency (CISA):
Identity
It’s estimated that four of every five data breaches are the result of compromised credentials. A zero-trust environment enforces least-privilege access principles that ensure users are limited to only the data and systems access necessary for their jobs. Recommendations include using identity and access management (IAM) and privileged access management (PAM) solutions that bundle user provisioning, password management, strong authentication, single sign-on and other technologies into comprehensive platforms.
Devices
Businesses commonly support thousands of network-connected devices, but poor visibility into the endpoint environment makes it difficult to verify device security. Asset management solutions allow administrators to see which devices are connecting to the network and ensure that those devices have the latest firmware and operating system patches and comply with security policies.
Networks
Network segmentation limits risk by breaking up the network into smaller, isolated parts to prevent ransomware and other malware from propagating throughout the network. Organizations should also consider using automated threat detection solutions that use machine learning and advanced analytics to actively hunt for threats and disrupt them in advance of an attack.
Applications
All applications should be inventoried, catalogued and scanned regularly to find and fix any vulnerabilities. They must also be authenticated based on user identity, location, data classification and other characteristics before being allowed to access data on a least-privilege basis. Security testing should also be integrated into the application development and deployment process.
Data
With increased reliance upon mobile, remote and cloud computing, critical data can be widely dispersed across a variety of networks, devices and applications. To protect all that data, organizations should identify, categorize and inventory their data assets, establish least-privilege access controls and encrypt all data at rest or in transit.
Since the beginning of the computer age, security solutions and processes have been designed to create a secure network perimeter. While external threats still represent a very real danger, organizations must do more to confront risks from within. Contact the cybersecurity professionals at GDS to learn more about implementing a comprehensive zero-trust framework to protect your critical digital assets.