Zero Trust: Need to know 2.0
Advances in technology continue to connect us in more incredible ways each day. Services that once seemed relegated to the world of science fiction, like virtual doctor visits, are now commonplace. Many of these innovations owe their existence to the internet and the seemingly limitless ways we connect to it through a multitude of devices.
While the internet has undoubtedly made our lives easier and more productive, it also leaves us open to attack by cybercriminals. A few grim statistics highlight the magnitude of the problem. For example, in the United States, over one-third of consumers were affected by data breaches in 2020. Over 30,000 websites are hacked each day, and 78% of all organizations experienced a cyber-attack in the last year.
These numbers may come as a shock, but thankfully there are ways to help prevent you from becoming a statistic. One of the best methods cybersecurity professionals recommend is called Zero Trust.
What is Zero Trust?
The idea of Zero Trust in computer networks was first introduced in 1994 by Stephen Paul Marsh. In his doctoral thesis, Formalising Trust as a Computational Concept, Marsh laid the groundwork for what the concept would become. What we think of today as Zero Trust is primarily credited to cybersecurity expert John Kindervag. While working for Forrester Research, Kindervag identified a flaw in how computer networks operated, which he believed needed to change.
The established industry model was built on the idea that if a user or device was on an organization's network, it should be trusted. Zero Trust is the opposite of this idea. A Zero Trust network constantly verifies permissions and authorizations of users and devices, even those within the network.
A modern hospital can serve as a good analogy. Imagine a hospital with a security guard at the front door. All workers at the hospital have a badge, and once the security guard sees the badge, the worker can go anywhere in the hospital they like. This means that potentially, someone on the cleaning staff could easily access the controlled substance medication locker, a potentially dangerous situation.
If the same hospital were designed with Zero Trust, checking badges at the door would only be the beginning. Workers would have to present their badges at multiple locations throughout the facility. Guards would patrol the halls and randomly ask for workers’ credentials. Doors would all have coded locks on them, making it very difficult for anyone to enter an area they were not authorized to be in. Essentially, no one would be trusted, and the hospital would be more secure.
If Zero Trust is not implemented, organizations expose themselves to significant damage. Data breaches in 2020 had an average cost of $3.86 million. Recent studies show only 5% of most company's computer folders are adequately protected. An alarming 80% of IT security leaders and executives believe their organizations lack adequate protection from cyberattacks. Without Zero Trust, these deficiencies are an easy target for hackers.
The bottom line is that organizations with computer networks built outside of Zero Trust risk substantial financial losses. A few historical examples on networks without Zero Trust will serve to highlight the danger. The cost of repairing systems affected by the Melissa Virus in 1999 was $80 million. The 2011 attack on Sony's PlayStation Network stole the personal information, including credit cards, of over 77 million users. Finally, the Marriott hotel chain discovered that an attacker had stolen the data of 339 million guests resulting in a fine from the British Government of £18.4 million. It is expensive to be vulnerable.
The best defense is with Zero Trust, giving users and devices minimum and controlled access. Network designers are looking to implement serval automated control measures as they build Zero Trust systems. Some of these measures include the following.
- Continuous Monitoring and Validation: This requires logins with automatic time-outs and assumes attackers can originate from outside and inside the network.
- Least Privilege: This is giving each user only the access they need. No more, no less.
- Device Access Control: Here, the network limits what devices can connect to it and monitors what authorized devices are doing. The system will also test the devices to make sure they are not compromised.
- Microsegmentation: This is basically compartmentalizing the areas of access. Security zones are set up around small areas of access to avoid significant breaches.
- Preventing Lateral Movement: If a network allows lateral movement, attackers who breach the system can move to other areas of the network. Without lateral movement, this becomes very difficult.
- Multi-Factor Authentication: This aspect of Zero Trust means users and devices need more than one way to verify their authorization to use the network or portions of the network.
Why is Zero Trust important?
Adopting a Zero Trust system into your computer network or organization is your best protection against cyberattacks. Users on the system will have the ability to still benefit from sharing information while also minimizing the damages caused if there is a cyberattack. Modern threats originate from external and internal sources. Zero Trust recognizes this reality and helps to mitigate the danger. Trust is important, but the automated checks and balances in the system acknowledge that trust can be misplaced.
As data continues to move more into the digital world, we must recognize that this move is a double-edged sword without proper protections. Zero Trust offers us a way to benefit from digitizing data without overexposing our personal information to hackers. With Zero Trust implemented, many companies are seeing significant decreases in IT spending and damages from cyberattacks. A recent study showed companies with Zero Trust networks had 50% fewer breaches and spent 40% less on technology. These numbers suggest the importance of adopting Zero Trust if your organization has yet to make the move.
Our world is rapidly moving towards technology. While there are countless advantages to this progress, we must also recognize the dangers. Cybercriminals can originate from both internal and external sources in just about every organization. Zero Trust is by far the best defense network designers have to protect us while we move further into a future where all data is digital and accessible for trusted users.