A cybersecurity incident has occurred at your company. What do you picture in your mind as the threat? Few would imagine at least 1,000 very skilled and capable engineers — bad actors — joining forces to attack your software supply chain and add malicious code to an update.
According to Microsoft, that unfathomable scenario was the case with the SolarWinds hack, an orchestrated effort backed by a foreign government that penetrated thousands of organizations around the world, including several U.S. federal agencies, and led to a series of data breaches. “This is the largest and most sophisticated sort of operation that we have seen,” Brad Smith, president of Microsoft, said in his testimony to Congress.
What’s more, what happened at SolarWinds involved many more TTPs (tactics, techniques and procedures) to accomplish the depth and breadth of the breach. And what it teaches us is that to prevent such attacks in the future, companies must adopt a Zero Trust mindset.
“Zero Trust is a proactive mindset,” explains Vasu Jakkal, corporate vice president for security, compliance, and identity at Microsoft. “When every employee at a company assumes attackers are going to land at some point, they model threats and implement mitigations to ensure that any potential exploit can’t expand. The value of defense-in-depth is that security is built into key areas an actor might try to break, beginning at the code level and extending to all systems in an end-to-end way.”
Zero Trust is a proactive mindset.
Let’s break this down and explore how to find out whether Zero Trust is right for your company in this age of highly sophisticated, government-sponsored attacks.
Excess of Access
I want to begin with what being a “hard target” really means when it comes to designing security architecture that is in line with access operations.
The most fundamental thing to consider is who in your organization should have access to company resources and who should not. Ask yourself, “What requirements for validation am I accepting before I allow access to critical data?”
Ask yourself, “What requirements for validation am I accepting before I allow access to critical data?”
Within a given role, there are many applications, systems, and data with which a user will ultimately interact. These different architectures and locations do have their own built-in security, but they are not ultimately responsible for protecting the data. In the majority of cases, responsibility for data lifecycle management rests with the company.
Zero Trust is a business-first concept. Inherently, the company must place a high value on security and build that resilience into its culture as well as its architecture. Information and access lifecycle management require responsive automation systems that not only provide least privileged access to users without impeding proper elevation procedures, but also protect administrators from giving an “excess of access.”
Is Zero Trust for Me?
Whether Zero Trust is right for your company is not a simple yes-or-no question. There are categorical benefits and improvements to next-generation architecture supporting Zero Trust that should first be considered. Let’s take them one by one:
Data Awareness:
Governance, private, and intellectual property data are among the most critical to understand and classify — where your data is moving to and what components of access should be stopped in their tracks. A company’s management should have visibility to risk based on real-time data to proactively make decisions to prevent potentially risky access.
Adaptive Risk and Threat Assessment:
The most necessary component for Zero Trust is its real-time correlation of multiple factors at the time of access. This has the added benefit of gathering and contributing to artificial intelligence (AI) or machine learning (ML) components that can review a given access request type and correlate it with a certain threat, such as bots or password spraying.
Attribute-based API Integrations:
Designing security based on context makes attribute-based API a requirement. There are critical differences derived from keystroke, actions, and potential insider threat activity that can only be truly apparent when you have visibility into a given session at a per-action level. This allows for a crawl/walk/run approach that involves user coaching and training, and then maximizing your investment by ensuring full coverage and thereby maturity.
Identity Strategy:
Managing identities properly — from access to privilege — and ensuring governance properly have the greatest impact on the user experience and proactive security measures. Given an organization’s shifting employee, customer, and vendor relationships, as well as internal- versus external-focused access, this is often undervalued when you consider that it’s credentials that are most often breached.
Automation:
Improve security response and lower operational overhead by exchanging data and attributes with platforms, applications, and security controls. Instead of countless lists of procedures to enable or disable access or licensing, automation becomes a foundational component of Zero Trust, and is further enabled through low code/no code.
Moving to Zero Trust
The future of security architecture is this: resilient architectures that enable end-to-end protection for our most vulnerable assets by ensuring least privileged access and real-time risk assessment. Opting not to manage legacy architectures can save companies more than 70% in some cases, reducing tools as much.
The future of security architecture is this: resilient architectures that enable end-to-end protection for our most vulnerable assets by ensuring least privileged access and real-time risk assessment.
Are we moving forward and taking advantage of the capabilities that cloud and API connectivity with real-time analytics afford us? Or, are we making the decision to remain within a legacy architecture that costs more to support, is nowhere near as resilient, and saw its maximum value cashed out 15+ years ago?
The first step is making Zero Trust a priority. Much like we did during the days of transitioning to the cloud and digital transformation, it’s time for the next standard of security: Never trust, always verify.