Implementing the Zero Trust Model

There are two types of companies, as the old(ish) saying goes: There are those who have been breached and those who have been breached and don’t know it yet.

Cyberthreats are some of the most significant and challenging issues facing the world today. With advanced technologies propelling the world into an increasingly digital space and hackers more motivated as ever, large corporations, small businesses, government agencies and other organizations struggle to erect effective cybersecurity defenses—and cybercriminals are taking advantage.

From the personal information of nearly every U.S. voter being leaked, to the Social Security numbers of more than a hundred million Americans being stolen, to a slew of retail businesses unintentionally exposing untold amounts of your financial data, it’s clear cybersecurity is in a precarious state. Take the 2017 Equifax breach, for example. Cybercriminals penetrated Equifax, one of the largest credit bureaus, and stole the personal data of 147.9 million people. The company said that an application vulnerability on one of their websites led to the data breach.

For years, cybersecurity has focused on the legacy “castle-and-moat” approach, which aims to secure the perimeter and the user. The advent of BYOD, mobile users, cloud computing and API-accessible systems has blurred the those definitions. At the same time, privileged users with access to large numbers of systems and/or high-value information have become an obvious point of attack and their identities and credentials are under constant threat. Unfortunately, with these realities, keeping malware out of the enterprise environment is often a losing battle.

CSOs and CISOs consequently ask themselves, If we cannot keep the bad guys out, how do we operate securely in our enterprise environment or at least mitigate the amount of data that can be accessed?

Enter Zero Trust

The Zero Trust model maintains traditional perimeter and endpoint security (without getting rid of it) but adds a much stronger focus on securing the identity of the users, and securing the data itself both in transit and at rest.

The Zero Trust model is a concept rooted in the belief that organizations should never trust anything either inside or outside its perimeters and instead must always verify anything seeking to connect to its systems before granting access.

The evolution from the legacy castle-and-moat approach to that of the Zero Trust model stems from the ever-increasing threat that breaches pose. Consider these statistics from the “2017 Verizon Data Breach Investigations Report“:

  • There has been a 404 percent increase in stolen credentials since 2013, from 278 million to more than one billion.
  • 81 percent of all successful reported breaches involved the use of compromised credentials.
  • Ransomware attacks are on the rise, ranking 22nd on the list of attack types in 2014, and increasing to the fifth most common attack in 2017.
  • 98 percent of all POS attacks reported resulted in a confirmed data breach.

Additionally, the “2017 Cybercrime Report” from Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. And the “2017 Cost of Data Breach Study,” conducted by the Ponemon Institute and IBM, revealed that the global average cost of a data breach is $3.62 million and that the average size of data breaches increased 1.8 percent to more than 24,000 records.

These statistics highlight the importance of securing a user’s identity and the data they access. Securing those aspects ensures the keys to the kingdom are protected, so to speak. The focus of malware and bad actors centers around identity information and by proxy, using that identity to impersonate valid users to get to the data they’re allowed to access and either exfiltrate that data or encrypt it in place, in the case of ransomware attacks.

Recognizing that existing approaches aren’t doing enough, security professionals and organizational executives are consistently finding that the Zero Trust model delivers the best results.

Why Zero Trust?

Because some of the most egregious data breaches occurred because once hackers infiltrated an organization’s firewalls, they were able move freely through internal systems. Rather than trying to fend off possible attacks, implementing a Zero Trust architecture would be significantly more practical and successful than fighting to stay current on a list of emerging threats.

Zero Trust leverages microsegmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to particular data.

How to Implement Zero Trust

To implement a Zero Trust model, corporation extend their endpoint and perimeter defenses with data security and identity security, including multifactor authentication (MFA), identity access management (IAM), privileged access management (PAM), cloud access security brokers (CASB), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task, and requiring verified authorization (typically using a service desk application) before granting access to systems.

If you assume, for example, that you cannot prevent spearphishing (and therefore cannot inherently trust a user’s identity), then you must implement access management controls that 1) prompt for a user’s ID and password, 2) verify that user via multifactor authentication, 3) validate that the user is authorized to access that particular system at that particular moment in time to perform that particular task (governance), and 4) constantly monitor the behavior of that user to look for anomalies.

Developing a Zero Trust environment isn’t just about putting these individual technologies into effect. It’s about using these and other technologies to enforce the notion that no one and nothing has access until they’ve proven they should be trusted.

Data breaches are not going away, and as the threat of cyberattacks continues to increase, we need to transform how security is managed. Organizations ought to pursue the Zero Trust model as part of their overall transformation strategy, implementing the technologies that can help them achieve Zero Trust as they move more to the cloud, thus retiring outdated legacy systems.

Cameron Williams

Avatar photo

Cameron Williams

Cameron Williams is the founder and CTO of OverWatchID.

cameron-williams has 1 posts and counting.See all posts by cameron-williams