Why Should Enterprises Move to a Zero-Trust Model?
This blog was originally published by Unbound Security here.
Written by Lior Levy, Unbound Security.
Refer to Unbound Security's webinar on November 18, 2021 for more information about the security of cryptographic keys, which is discussed later in this blog.
The introduction of new norms such as remote work, bring your own device (BYOD), and the compounding growth in digital cloud-based assets, has further complicated the enterprise space and, consequently, enterprise security. Traditional perimeter security, which tends to focus on safeguards at the entrance of a privately owned network to secure it from hackers, is no longer an affective barrier against the advanced threat landscape as they continue to increase and circumvent network security. It is now critical to implement a strategy that is multilayered and able to secure your networks, as well as your data in case of a breach.
Some of the most reliable mechanisms used to achieve data protection are encryption and zero-trust, and organizations should consider integrating both to maximize enterprise security. However, even though most organizations already have an encryption mechanism in place, zero-trust architecture is yet to be wholly adopted as most organizations only adopt a few concepts. This post will look at various reasons why organizations should consider a move to the zero-trust model.
What Is Zero-Trust and Zero-Trust Architecture?
Zero-trust is a security concept that changes enterprise security from “trust but verify” to “never trust, always verify.” The security model eschews the castle and moat concept implemented by legacy security structures to operate on the basis that no one, outside or inside the perimeter, can be trusted.
Think of a house that was secured by locking the main door. Zero-trust ensures that all other doors within the room are also locked, and if a user needs to access a specific room, they only have the key to that room and not the other rooms they don’t need.
A Zero-Trust Architecture (ZTA) ensures that everyone who tries to access enterprise resources is verified using a comprehensive set of variables – such as the user’s location, the device used (and how secure it is), and the requested service. The access is then governed by the principle of least privilege (PoLP), such that they can only access the resources that their role allows them to, and it’s limited to a certain amount of time.
The Security Benefits of Zero-Trust Model For Enterprises
Zero-trust is quickly growing as a security model, and there are several reasons why your organization should adopt it.
Physical Boundaries No Longer Exist
Some years back, an enterprise could be confident after securing enterprise networks and corporate data centers. However, the introduction of virtual machines, cloud computing, Internet of Things (IoT), and remote working has made the enterprise perimeter indefinable. Digital assets are now scattered across multiple on-prem and public cloud IT environments.
Zero-Trust shifts attention from the physical boundaries and secures access to enterprise resources across all devices. Regardless of how a user wants to access enterprise data, they can do so if they meet certain identity verification criteria and have the necessary privileges.
Insider Threat Is Ever-Growing
Insider threats are rising, and Forrester predicts that the trend will continue with an 8% increase in 2021. These threats are posed by employee or contractor negligence, criminal and malicious insiders, and credential theft. In the case of the latter, hackers can operate undetectable within the system and move laterally without raising the alarm.
To prevent the threat of insider threats, zero-trust implements a robust (non-binary – access granted or denied) identity verification method and then restricts user privileges according to the role of the user. This way, even if the credentials are compromised, the hacker is restricted to a certain segment of the system. Zero-trust can also build a ‘trusted behavior‘ for users and notify security personnel if they behave unexpectedly.
The Ransomware Menace Still Continues
Ransomware has grown to be a huge cause of concern in the security industry, and cybersecurity researchers observed that the number of ransomware attacks surged by 93% in the first half of 2021, compared to 2020. And with the threat looking to be on a steep upward trajectory, it’s important to reduce the impact that a ransomware attack can have on your organization.
Zero-trust achieves this by treating the identity of each user, application, machine, and data stream as its own independent ‘perimeter.’ This allows the implementation of a granular access policy such that even in the event hackers gain access to organizational network, ransomware is effectively blocked from traversing between IT and OT systems.
The Need to Protect Cryptographic Keys
The security of cryptographic keys determines the security of all encrypted data and cryptographic services as exposure can result in a breach. Due to the growing number of breaches, cryptographic keys can no longer be trusted with a single entity as a compromise would lead to disastrous outcomes. If an attacker gains access to an encryption key, they can decrypt all data secured with that key. Likewise, if they manage to access an organization’s code signing keys, they can use them to carry out malicious signing, something that recently happened to SolarWinds.
Implementing a zero-trust model in key management requires a system that can prevent key theft as well as key misuse. This can be achieved by implementing a zero-trust technique such as multiparty computation where no single party is entrusted with the key. Rather, it is shared between two or more devices such that there’s no single point of failure. If a key is needed in a code signing process, multiple devices can be required to approve the cryptographic operation.
The webinar Cloud First Cryptography and Virtualization. Securing Fragmented Data. gives more information about the security of cryptographic keys. Watch live on November 18, 2021, or view the on-demand recording.
The Need for Compliance
Industry and government regulations are ever increasing, and every organization that deals with sensitive data needs to ensure compliance. The first step to doing so is reducing the compliance scope as it shrinks the audit scope.
Zero-trust helps achieve this as it builds micro-perimeters and micro-segments that restrict users and applications. This is further enhanced by the untrusted method of verification and the fact that users only have access to the services they need, and only for the period they need them. Such a model greatly minimizes the threats landscape and prevents lateral movement.
Zero-Trust for Today and The Future
72% of respondents in a 2021 global survey stated that they have plans of adopting zero-trust or are in the process of doing so. The huge shift to the security model is due to the realization that walling off is no longer an effective strategy as you can no longer define the perimeter.
Zero-trust allows organizations to adopt a security model that can support emerging trends and build flexibility for the future while at the same time enhancing security and compliance. The organization can then have control over the access and activities of all machines, users, and applications, while being able to detect and immediately respond to imminent threats.
About the Author
Lior is the Director of Solution Architecture at Unbound Security. Lior has 20+ years of experience in information security, working with the largest financial institutions and other enterprises world wide, handling pre-sales, product management, solution architecture and enablement.