Organisations of all sizes continue to face an increasing number of cyberattacks both in scale and sophistication, and they need to assume the mindset that it’s not if, but when, their security will be breached. The combination of cloud adoption, digital transformation and the impact of the Covid-19 pandemic has accelerated the shift to an environment that encourages working from anywhere, at any time, and on any device, and this is eroding all perimeters of business security boundaries.
As the perimeter disappears, the attack surface grows due to security vulnerabilities and poor cyber hygiene by employees, contractors and vendors. This allows attackers to gain access to a business network through an initial attack, after which they may look to establish persistence and move laterally to find and compromise high-value data and resources.
To defend against this increasingly complex and evolving threat landscape, we need to establish guidelines, controls and frameworks to help businesses defend against cyberattacks. One such framework is called ‘zero trust’ which, due to its holistic nature, is rapidly gaining widespread adoption. A robust zero-trust strategy is a paradigm comprising of interlocking technologies, procedures and security controls operated as part of a cohesive cybersecurity strategy. It is an assurance fabric that is regularly reassessed against changing risks and encompasses people, process and technology.
At its core, the zero-trust concept is about stopping organisations from automatically trusting users, data, and processes inside and outside their perimeters. It is based on the principle of ‘never trust, always verify’ and can be achieved through three behaviours, the first being to verify explicitly. This translates to ensuring strong authentication on the premise of appropriately strong registration. When it applies to users, we must make sure that the person who is requesting authentication is the account owner and that the account has not been compromised by account-takeover attacks. To ensure a more holistic defence, the concept of verifying explicitly should extend across users, devices, applications and workloads to avoid points of compromise.
Secondly, a zero-trust strategy is built from least privilege access, which only allows a limited number of accounts authorised access to information that is limited to permissions needed to complete a specific task or responsibility.
Thirdly, businesses should assume that there is no perimeter and always be prepared for a security breach at any time. This requires security controls and policies to verify every access request and to apply mitigation techniques the moment an incident is detected, which helps to prevent lateral movement, persistence of an attacker and limits the overall ‘blast’ radius of a successful attack.
Identity lies at the centre of any great zero-trust strategy. It is crucial that firms establish trusted identities across their users, devices, applications, and workloads to implement a secure first line of defence against cyberattacks.
Strong phishing-resistant multi-factor authentication with high assurance passwordless capabilities is a strong requirement for a mature foundation within user identity. However, zero-trust goes beyond the foundational identity layer of cybersecurity by requiring strong end-to-end encryption when accessing data, which adds an extra level of protection.
Enforcing strong encryption with robust cryptographic key management on post-quantum-ready platforms helps to protect sensitive data. It also helps to tackle the ‘harvest now, decrypt later’ threat where bad actors are collecting long-life and sensitive data today such as human resources or healthcare records, to decrypt once a quantum computer becomes available to them.
In addition, security solutions that address the zero-trust framework need to account for a cross-cloud approach to secure multi-cloud and hybrid environments. Combining cryptographic key protection of virtual machines, containers and secrets with public key infrastructure and compliance management allows organisations to secure access to data across their computing ecosystem. This allows them to fulfil regulatory requirements in a seamless manner.
Ultimately, zero trust is a journey requiring interlocking approaches, solutions and processes. Integration of vendor solutions with the necessary governance enables organisations to implement a zero-trust strategy that effectively addresses data and network security risks.
Rohan Ramesh is product marketing director at Entrust
This article was originally published in the Spring 2023 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription