“Zero Trust” may seem like a buzzword to some, but it’s a hot topic for a good reason. Most companies inevitably will adopt some form of the security strategy at some point, now that the workforce is evolving to favor remote work and branch offices. This, paired with the explosion of connected devices, can result in a cybersecurity dilemma, and it’s becoming more pressing for companies to make sure employees and their connected devices are using enterprise data securely.
One of the biggest roadblocks to implementing zero trust is the end user. Having employees continually authorize their applications each time they need to access them instead of only logging in once at the start of their day requires a major mindset change. How can enterprises make sure they’re educating their employees and taking the time to make this smooth transition happen?
Breaking Innocent Habits: BYOD Is Part of the Problem
Zero trust is a framework that treats everything in a network infrastructure as untrusted. This means that all devices should be treated with the same level of protection as you would expect for devices outside of the network. Just because devices are connected to a corporate network that requires an initial authentication does not mean they should have unrestricted access to all of the other resources in that same network. Remote work adds a complicated layer to the problem because remote employees don’t always use company-provided devices on a VPN. All applications are accessible through a simple web browser found on any device, which is where zero trust comes into play.
Enterprises need to establish a security-first, zero trust mindset and culture to be most successful in changing their security framework. Bring-your-own-device (BYOD) practices, where employees are permitted to use their own laptops or smartphones for work purposes, can exacerbate the problem, because this policy lends itself to implicitly trusting a network. Instead, employees should be trained to question the devices they are allowing onto enterprise networks. It’s also important to understand the end goal, or the data being stored and protected in the first place. What is the sensitive, classified information and where is it being stored? Who needs access to it?
Solutions to the Zero Trust Problem
Sometimes, the solution to the problem can be as easy as simplifying your network. One way to do this is network segmentation. If an enterprise has specialized equipment that does not need general network or internet connectivity, it can be segmented into a different network with restrictions placed on connecting to other areas of the infrastructure. For example, the healthcare industry is known for being especially prone to cyberattacks, but hospitals can take steps to avoid this by separating out diagnostic equipment, which typically would not need broad access across the internal infrastructure and internet. On any network, there usually are devices that have full network access when they can be more restricted. By segmenting the internal network so that higher-risk specialized network equipment and IoT devices are not given broader access, enterprises can contain any botnet formation or DDoS attacks coming from these non-standard devices, minimizing the impact on the entire network. With zero trust, organizations can ensure that non-trusted devices (or devices that don’t need access to company financials, for example) can’t leak out sensitive information via DNS.
Two-factor authentication (2FA) can be another layer. Typical systems and applications rely on a username and password and accept the correct login credentials as the core requirements for access. The problem occurs when an authenticated user’s system has been compromised. With 2FA, even when the login credentials are correct, there is a second challenge required before the user is granted access. This is often another physical device that the user is in control of (usually an application on a cellphone). Even if an attacker has compromised a user’s credentials, when they attempt to access the system or application, the “real” user has to respond to the challenge granting access correctly and can deny the attacker access.
Real change starts with end users; after all, there’s no point in implementing different security strategies if your own employees aren’t exercising their due diligence. By creating a security-first mindset and work culture, and using more technical solutions such as network segmentation and 2FA, organizations can ensure they are on the right path to successfully implementing zero trust.