Zero Trust – the real “New Normal”

Calligo’s Chief Information Security Officer, Mark Herridge, has written this blog to discuss why organizations need to adopt a “Zero Trust” approach when it comes to their data security and what steps they need to take to protect their data.

Zero Trust – the real “New Normal”

We all know working practices have changed as a result of COVID-19, lockdowns and a lingering – in some cases, permanent – reluctance to commute into major hubs.

Similarly, much has been reported on the rise of opportunistic COVID-19 security threats, ranging from social engineering tactics such as targeted phishing attacks that seek to prey on users’ ongoing worries about the pandemic to companies straining to quickly enable remote workers.

The repeated success of many of these phishing attacks, largely caused by the vulnerability of domestic networks and user-owned devices, has led to the more forward-thinking IT heads and business owners coming to a powerful realisation: their business needs, including security, depend on a granular understanding of data workflows, not simply the deployment of technology.

After all, the technology-centric approach of focusing on retaining all data within a secure, restricted network has been shown to be unsuitable in these conditions. As soon as workforces left the protection of the ‘Castle & Moat’, data became hard to access, users became more vulnerable and breaches started to appear.

Instead, businesses of all sizes need to focus on what the core requirement of maintaining productivity with a remote workforce – i.e. available data and fluid data workflows – and then establish the protocols to protect it without restricting its accessibility.

So, how do data-centric businesses balance data freedom with security, and protect any worker’s data interactions on any device, on any network, using any app or cloud service?

Zero Trust.

Outside the network, businesses can no longer implicitly trust all users and devices. ‘Zero Trust’ means we need to adopt the mantra ‘trust nothing and verify everything’, remove any assumptions and take a risk-based approach, and importantly, allow security policies to be dynamic and adapt based on insight.

Step 1 – User Trust

The first step in your journey to ‘Zero Trust’ is to establish the right mechanisms to ensure that only valid and authorised users can access your resources and your data.

Assuming a single form of credentials – such as a password – is enough to verify someone’s identity is to have too much trust. The phishing scams mentioned above typically aim to extract password information, and employees do fall for them, especially when working from home. If this is the only method of verification, then networks will be immediately breached

Therefore, deploy Multi-Factor Authentication (MFA) for every user – without exception.

MFA is a critical component of identity and access management (IAM) and is used to verify a user’s identity by requiring multiple credentials. Rather than just asking for a username and password, MFA requires additional credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or even facial recognition.

If your data is held entirely in Microsoft 365, then simply activate the MFA tool within the platform. However, if your data spans multiple services and resources, then consider a third-party MFA tool such as Duo that can be deployed across any device and application and secure all your data sources, with excellent ease of use and adoption.

MFA is essential to an organization’s Zero Trust stance and should be seen as the standard and not an optional extra.

Step 2 – Device Visibility

Again, do not trust the integrity or safety of every device that may be used to access your data.

Visibility informs policy so we need to gather as much information about the endpoints and devices that are being used to access your data and specifically, their security state.

Does the device have a passcode or password? Is it encrypted? Is the Operating System up to date? Does it have anti-virus software installed? Is it a corporate device or the user’s own? The answers to these questions help determine the risk profile of the device.

But it is not only the devices themselves we are concerned with. We also need to understand the trustworthiness of the apps that run on them and ensure they are healthy and aid in the prevention of data leakage.

Only once you can be assured of the status of the device and apps upon it can it be marked as trusted and allowed to be used to access the network.

Step 3 – Adaptive Policies

Once access to the data has been granted, it is important to retain control over how the end user acts with it. We want to ensure that sensitive corporate data is stored and shared appropriately, perhaps that it is not saved to services such as Dropbox, or maybe prevent it being emailed externally.

These are rules and restrictions that depend on a combination of the data types, sources, actions, devices and users, and that will need to adapt to circumstances. For example, a device’s security state is not static and previously secure devices can quickly become insecure. As device health statuses deteriorate or improve, or as data sensitivities rise or fall, or as users’ requirements change, or trust is earned in certain actions, policies will need to adapt to either allow or restrict access – ideally automatically.

The key is risk-based flexibility, combined with a determination to re-establish trust each time access is requested to ensure real-time protection.

Step 4 – Continuous Monitoring

At this point, you are implementing Zero Trust, but just as data, devices, applications and users are ever-changing, so is the threat landscape.

Businesses must continuously monitor the environment and respond to new risk events, and adapt their tolerance of risk for individual actions to maintain ‘Zero Trust’.

As stated by the National Institute of Standards and Technology (NIST) “Zero Trust is the term for an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeters to focus on users, assets, and resources.”

In other words, a data-based approach, not a technology-based one.

How Calligo can help