Four Ways to Achieve a Zero Trust Security Model
Put 2019 in the record books — for cybercrime, that is.
According to Risk Based Security, a global leader in vulnerability intelligence, breach data and risk ratings, 2019 was on track to be “the worst year on record” for cybercrime. We’ve seen this to be true in the near constant headlines of ransomware, viruses, trojans and phishing incidents wreaking havoc on businesses of all sizes. These attacks are not only increasing in frequency, but in revenue impact and sophistication.
Last spring, ransomware attacks on the data networks in Baltimore, pioneered by a brand new strain of ransomware called RobbinHood, resulted in network downtime costing at least $18.2 million in lost revenue. This is far from a blip on the radar. Juniper Research found that cybercrime has already produced $2 trillion — with a “T” — in damages and it estimates that number with reach $6 trillion by 2021.
All this bad press has translated into difficult conversations between customers and IT professionals — whether you do it all yourself or enlist the help of a Cloud Service Provider (CSP). The fact is, if you are an IT developer, buyer, or someone who can be impacted by cybercrime (which is basically all of us), having a cursory understanding of data security is a requisite part of the job. Otherwise, you risk putting yourself, or your company, in harm’s way.
Preparing for 2020
The first step to resolving this problem is admitting it exists — and that’s what many organizations are doing as they prepare for cybercrime in 2020. Our capabilities to defend against cybercrime are improving as organizations spend more on security and advance and focus their strategies. One such strategy is called “Zero Trust,” which incorporates technology, services, people, and processes into a cohesive approach that includes multiple layers of defense.
Developed by Forrester Research a decade ago, the Zero Trust security model can be summed up as “never trust, always verify.” In other words, whether a connection to a system or data is attempted from inside or outside the organization’s network, no access is granted without verification. Zero Trust is necessary because traditional network security can no longer keep data safe from today’s advanced threats.
Four Ways to Achieve Zero Trust
Let’s start with a helpful analogy: If you enter your house through the front door, you expect to have access to all the rooms inside. In a Zero Trust world, you would not necessarily have access to all rooms automatically. In fact, you may not be able to go beyond your entryway without further permission.
To achieve the level of security necessary for Zero Trust, I recommend relying on these four core tenants: physical security, logical security, process, and third-party accreditation and certification.
Physical Security remains the first layer of defense. The physical data center, whether on-premises or in the cloud, represents the epicenter of customer data. As such, it should also be the primary defense against cyber theft. There should be a drive to give equal priority and attention to all data centers you or your CSP manage, applying consistent security standards across all physical assets. This includes active monitoring, controlled access to all facilities via an approved access list, and secure environmental elements such as power, cooling, and fire suppression.
Logical security refers to the many varied layers of technical configurations and software that create a secure and stable foundation. In reference to layers, logical security is applied at the network, storage and hypervisor layers. Your position, or that of your CSP, should be to provide as much security as possible throughout each layer. Be sure to consult with your CSP ahead of time to make sure your logical security is being handled properly.
No security solution, whether physical or logical (i.e. technology), is effective without trained and experienced people. If the people managing the system don’t understand how to work within the controls established to protect the various systems, the solution will fail. Quite simply, you wouldn’t spend tens of thousands of dollars on a home security system, but then leave the keys to your house sticking out the lock of the front door. Employee background checks, security and compliance training, regular access reviews, annual penetration testing against your infrastructure, and regular patching schedules for all systems are all key to having the right process in place.
Third-Party Accreditation and Certification
The confidence that comes from third-party validation cannot be overstated. Even the most secure organizations can benefit from an additional review. You or your CSP should consider adhering to some of the following frameworks and standards: HIPAA, HITRUST, SSAE16, ITIL, GDPR, CSA STAR, CJIS, and more.
Back to the Future
In 2019 alone, there have been countless examples of malicious insiders taking advantage of valid credentials and doing great damage from within companies. Add the absolutely huge risk associated with external security threats (ransomware, malware, etc) that seems to grow daily, and you can see why customers are pursuing Zero Trust strategies in their IT organizations.
A Zero Trust strategy in your organization can eliminate many of the vulnerabilities that are left behind by technology implementations alone. As we get into 2020 and all that it may bring, it’s important to acknowledge that cybercrime will only increase in numbers, impact, and sophistication. That doesn’t mean we are helpless, but it does mean we need to change. A Zero Trust strategy can help with that.