Organisations have reached a profound level of dependency upon Information Technology, so much so that the ability to control security risks is incredibly demanding and complex. Device usage in 2020 has increased almost 70% in only two months, and in the scramble to ensure that corporate networks are capable, was enough done to ensure they are also secure?
During the pandemic rush to expand the capacity of remote licences, zoom/teams accounts, and email exchange, little time was allowed to review and strengthen security policies. Organisations now sit in a state of complacency having achieved complete remote mobilisation of the workforce, yet as a result there are more targets for attackers to exploit. While organisations may have achieved in two months what would have taken two years, it seems the ‘new normal’ is to keep pushing the boundary with a cyber attack happening every 39 seconds and the average data breach costing $3.92 million.
Traditionally, Information Technology has relied upon heavily layered approaches to security to create complexity for an attacker, when what is really needed is complexity that accommodates budgeting. A policy defined by inimitable conditions, constantly interacting and monitoring, and simplistic for the end-user; that is the key.
What is Zero Trust?
Zero Trust is a policy that has been around since the start of networks. It is a simple policy that implies a “deny by default” approach in an effort to limit access to highly confidential information. Thanks to cloud-based technology, Zero Trust has been reinforced with state-of-the-art encryption and redundancy techniques. The policy is based on three principles that consequently are incredibly difficult for an attacker to imitate.
These are the three principles of the Zero Trust policy:
Requires multiple points of verification of a device and/or individual before allowing access. This method relies on conditional access checks such as a unique identifier (mac address or IMEI number), login credentials implementing multi-factor authentication, a pre-installed security certificate, the security state of the device and even GPS location data. The GPS location data provides continuous validation once a session has been granted access to ensure sessions are not hijacked.
- Least Priveleged
The least privileged method stipulates user access control that is strictly limited to what the user requires. By only allowing a user access to what they need, it limits the extent of a breach should one ever occur. This method also allows for simpler segregation not just on a policy level, but in the physical infrastructure. Access can be easily modified on-the-fly and even during an open session.
- Assume Breach
This method is the systematic response by Zero Policy infrastructure to any access or device that is not defined in the whitelist or is not registered as a part of the network to be trusted. By default any interaction or access to a network is denied, strictly limiting the number of potential weak points for an attacker.
Should I use Zero Trust?
With attacks becoming so prevalent in all industries and across all devices, the key to this uphill battle does not necessarily lie in extensive security measures. Zero Trust not only takes a preventative approach, it also prepares organisations for a reactive response due to the simplicity of segregation. With cloud-based user access control, devices can be instantaneously barred from networks, helping to limit the extent of an attack. Organisations must take an approach that addresses both pre- and post-attack, an infrastructure that has the ability to defend, even when it may seem a battle being lost. A Zero Trust policy is simple to implement with the right foundations. Try out the Microsoft Zero Trust Assessment Tool to see where your organisation stands and what you need to implement it.
The last thing organisations should do is lift the foot off the pedal in these trying times because “success breeds complacency. Complacency breeds failure…” – Andy Grove.
How we can help
InConsult is committed to helping organisations become more resilient to cyber risks. We have extensive experience in risk management, cyber security, crisis management, business continuity, emergency management, disaster management and pandemic planning.
If you would like to know more about our cyber risk services, contact us to discuss your needs