Trust no one: how the pandemic sharpened the need for zero-trust security

This year’s pandemic has quickened the transition to a new cybersecurity model. Its mantra is simple: trust no one. In the world of zero-trust security, all users and devices are potential enemies until proven otherwise.

Zero-trust security is a rigorous approach to security built for a new era of cloud-based access and mobile work. It promises to save homeworkers from a range of modern threats, but don’t expect to implement it overnight.

Security teams traditionally relied on perimeter network defenses to protect their applications and data. Networks had a hardened outer shell built from firewall devices that security teams hoped would stop attackers from getting in.

As organizations moved to mobile work, the concept of the perimeter made less sense. Instead, security teams refocused their attention on protecting applications and data individually, wherever they resided.

Adaptive, identity-based security

This trend laid the foundations for what would become the zero-trust security movement. “Zero trust, in its pure form, is about saying that I don’t automatically trust the device or user,” explains Etienne Greeff, Group CTO at Orange Cyberdefense.

Zero-trust architectures do not automatically connect devices, even if they are using a trusted MAC or IP address. Users must prove themselves repeatedly to access the resources they need, whether working from home or in the office. They do this through an application-layer access control plane that acts as a gatekeeper, shielding all company assets until it verifies access.

That verification is identity-based, making identity and access management the most critical part of a zero-trust architecture. Multifactor authentication using hardware security keys or biometrics is an increasingly common component for secure verification in modern environments.

Privilege-based access is another fundamental tenet of the zero-trust model. The zero-trust system authorizes cautiously, on a least-privilege basis. Users get only the access privileges they need and no more. This calls for a role-based access control (RBAC) model, which uses each user’s or device’s role as a reference when determining their access level.

So, instead of blanket trust, users must verify themselves when accessing each separate application and storage resource from home. But why do they have to keep doing it? It’s because zero-trust architectures adapt access decisions based on usage context.

Zero-trust security asks for more than just user IDs to grant access. It decides a session’s access privileges based on several context-sensitive data elements, including the application the user is accessing and the device they are using. These parameters help the access control layer apply security policies to authorize that particular session against predefined risk models.

Zero trust

How the pandemic accelerated everything

The move away from perimeter-based models to zero trust has been gradual and incremental, but things escalated in 2020.

“COVID changed things quite a bit,” says Orange Cyberdefense Netherlands CTO Peter Mesker. “Around 80% of the workforce is working from home offices, using just one consumer Internet line.” Suddenly, IT departments had to support untrusted connections from untrusted machines using untrusted networks.

This development expanded organizations’ attack surfaces overnight. Attackers no longer needed to reach the inner sanctum by finding open ports or misconfigured firewall rules. They launched a variety of phishing and malware attacks to target remote workers.

Companies responded by implementing virtual private networks (VPNs) to encrypt and manage the connections between home networks and corporate systems. VPNs offer some protection for authorized remote users and managed devices by tunneling inside the perimeter, but they have their shortcomings. They still rely on trusted devices, so an attacker compromising the device can exploit that trust, intercepting traffic or impersonating the user on the network.

Aware of this, attackers began directly targeting known vulnerabilities in VPNs. This prompted the UK’s National Cyber Security Centre to warn about attacks aimed at homeworkers.

Laying the foundations for zero-trust security

While VPNs still have their place as a layer of defense, zero-trust security offers a valuable way to close these gaps in user security. If an attacker compromises a homeworker’s endpoint or VPN, they can’t use it to gain access to your network automatically.

Zero trust’s more secure model led Gartner to predict that 60% of enterprises will phase out most of their remote access VPNs in favor of zero-trust technology by 2023. However, implementing this architecture takes some heavy lifting.

Zero-trust adopters no longer rely on a perimeter to protect everything, meaning that they must identify all assets in the organization that they want to preserve and build interfaces between them and the access control layer.

Security teams must also deploy monitoring technology to watch all assets’ underlying communication patterns. This will help them gather the data necessary for that context-based verification.

None of this works without basic security measures such as encryption. Implementation teams should ensure that they encrypt assets at multiple levels of the technology stack. Encryption of network-level traffic is a must, and companies should also encrypt their data at a file and record level for extra protection. This supports data security policies, ensuring that only the right people get to see decrypted information.

Network redesign

Now is also the time to consider an internal network organization. The biggest flaw of perimeter-based network security was its internal openness. Attackers that breached the firewall could often move freely around the internal network because no one thought to create any internal walls. Zero-trust practitioners fix this via micro-segmentation. This compartmentalizes the company network, demanding that users, devices and applications reauthenticate themselves each time they traverse a boundary.

“This is a new way of working, and it will remain in place,” predicts Mesker. “People most likely will never come back to the office five days a week.” The need to support long-term changes in working practices has shone a light on this valuable new approach to securing our applications and data.

Read this blog SASE: the future of network and network security architectures or learn more about how enterprise networks can cope with the new normal.