We’ve all seen the movie in which the heroes plot to gain access to the closely-guarded fortress or bank vault to purloin valuables, or to nullify some of the defences in order to allow a larger force of attackers to enter. Exciting stuff, but the lesson is clear: placing too much faith in perimeter defences is risky.
The Trojan Horse is just one example of how devastating the penetration of a secure perimeter defence wall can be.
We have to recognise that the traditional corporate network uses this “castle-and-moat” structure and, as a result, suffers from similar vulnerabilities. Two factors have increased this vulnerability. One, the threat from cyber criminals has been steadily growing more acute and has now become endemic, with most CIOs accepting that a breach of their network defences is a certainty rather than a possibility.
The statistics tell it all. Here are just two: worldwide, cyber crime costs will hit $6 trillion annually by this year, according to Cybersecurity Ventures, with 68% of business leaders feeling their cyber security risks are increasing, according to Accenture.
The second factor is that the business model of most organisations has changed. The old-style castle-and-moat network mirrored a corporate structure that was largely geographically stable. No longer, especially since the COVID lockdowns, which have radically accelerated the digitalisation of business processes in the name of enabling anywhere / anytime work styles.
It is entirely logical that network typologies and security thinking alike need to change in order to reflect these realities. The truth is that traditional network security thinking is too trusting. It’s largely based on passwords as a means of authentication, and once the password has been verified, the default is to open up the network to that user − but what if that user is not who you think he or she is?
People use the same passwords time and again because there are too many to remember, and they are frequently compromised, usually via sophisticated phishing − phishing accounts for more than 80% of reported security incidents and 95% of cyber security breaches are caused by human error.
Many CIOs and CISOs are daunted by Zero Trust, which they see as both expensive and disruptive.
Stated simply, networks must be as open and accessible as possible in order to enable collaborative and anywhere / anytime work styles, but also resilient enough to withstand persistent and well-resourced attacks.
Zero Trust was conceived by Forrester alum John Kindervag as far back as 2009, to solve this challenge. It has been gaining traction ever since as a way to improve an organisation’s security posture. At the core of the philosophy is the dictum that trust equates to vulnerability, and that trust must be continuously assessed. This applies to insiders and outsiders.
Getting smarter
As its name suggests, Zero Trust shifts the default position of any security architecture from trust to mistrust. But it also needs to be able to shift to trust as needed to enable work to proceed, otherwise it will kill the organisation in the name of keeping it safe. This flexibility is achieved by making the process of authentication much smarter. Within Zero Trust, a password is not enough − the authentication process is supplemented by data relating to the device being used, the time and date, geolocation, historical usage patterns and device posture.
For example, if John A habitually accesses the SAP system from an Android device within Johannesburg in order to approve purchase orders, when a user purporting to be him logs in from Singapore on an Apple device and wants to do something quite different on the system, then it’s clear that the user should not be trusted until his identify is properly verified.
From this example, one can see the importance of context as well. A user’s access should be governed by the requirements of the job he is currently performing. Two key principles of Zero Trust are the need for access to the network to be much more stringently granted, and that access to specific assets on the network should be related to the job being performed.
The latter limits the ability of attackers who do gain access to move laterally across the network. These hackers often take months of surreptitious movement to scope out the network to establish its vulnerabilities and the location of its most valuable data in order to mount a successful operation, be it outright theft or ransom.
Gartner wisely advises organisations to begin their Zero Trust journey with two projects related to their networks, and in line with the two principles noted above. The first of these is Zero Trust network access and the other is identity-based segmentation.
Many CIOs and CISOs are daunted by Zero Trust, which they see as both expensive and disruptive. Rather, however, they should acknowledge that Zero Trust is a journey and should be implemented incrementally in conjunction with an effective change management programme to shift users’ understanding of what security actually means.