Can we really trust zero trust?

The growing use of cloud-based architecture, combined with an increase in remote and hybrid working, has made a new breeding ground for cyberattacks.

According to the ENISA Threat Landscape 2021 report, cyberattacks have increased throughout 2020 and 2021, with a 150% increase in ransomware attacks during that time.

As cyberattacks continue to evolve and become more prevalent and sophisticated, businesses are looking for a new approach to identity-based cybersecurity. These policies and solutions aim to protect all people and machines within an organisation, and are used to detect and prevent identity-driven breaches.

It is easy for businesses to get infected, but the issue lies in how to find a solution. Most businesses are attacked in a similar way, through ransomware attempts where access is initially brokered using phishing, according to Acronis’ Mid-Year Cyberthreats Report 2022: Ransomware dominates threat landscape. If phishing emails look as if they come from a trusted source, and are not protected using an email gateway, it is a lot easier for threat actors to gain access into an organisation.

Assessing an organisation’s security posture

Often organisations do not know what the impact of an attack is going to be until it happens. If businesses are not protected and an attack does happen, it will cost them a lot in terms of reputation and money to overcome the damages of the attack. End-users also have a responsibility to protect their emails and devices. In order to do this, businesses must invest in security awareness training programmes, but they must be aware that a lot of progress is required by participants in the early days. This is especially true when setting out a new security policy to support employees in understanding why they need this level of protection and how to detect phishing emails.

No security posture is ever going to be perfect. With each new software update, it pinpoints the issues in a businesses’ security posture, outlining the entry points into an organisation for threat actors. Even if businesses do update their patch to fix software bugs, they want to test this before it is implemented. This means that businesses are always at least one step behind a more complete security posture. For businesses, this leads to a security gap, allowing threat actors to gain access into an organisation.

Is zero trust anything more than just a buzz word?

The zero trust approach is not new. Many businesses have implemented a zero trust strategy to protect their information. Zero trust is a set of policies whereby access is granted on a least-privilege basis. This means that employees can only access data which they have permission to, and that access to this data is not allowed to continue if the behaviour or actions of that user changes.

In theory, zero trust should reduce attack pathways and for IT security teams, it should make monitoring for an attack less complex because it highlights unusual behaviour. As the strategy provides end-to-end visibility of a network, it should allow IT security teams to understand how information normally flows within an organisation. IBM’s Cost of Data Breach Report 2021 cited that the average cost of a data breach for organisations that had implemented a mature zero trust strategy was $1.76 million lower than in those that had not. This is because zero trust makes identifying critical assets easier and pinpoints what should be secured, and so vulnerabilities can be identified with security gaps being closed.

However, as threat actors’ tactics are constantly changing, those in security are under time pressure to be the first on the market with a new product. Unfortunately, the tendency to produce minimum-viable products means that these products may not be as effective as might be hoped for in the first instance. This is why robust security policies based on the risks an organisation faces are so important. You cannot assume the technology infallible.

Hybrid working and zero trust

There is a danger in not having the right solutions, especially at a time of hybrid and remote working.

Previously, employees were accessing data in an office on one network, where there also was a firewall to protect the data. If an employee had access to that network, then they were able to access and share documents internally with other colleagues. In this situation, no data was being filtered out into the cloud or externally.

However, with the new working environment, it has meant that companies needed zero trust as employees are accessing the cloud in different locations. With employees dispersed around the country, or the world, a firewall cannot protect businesses anymore. Zero trust can be implemented to secure these networks in these new parameters using identity checks.

There are other protection measures available on the market that support the zero trust framework. The Secure Access Service Edge (SASE) must connect to a central network, no matter the location, in order to access a companies’ location or files. Alternatively, on the cloud side, cloud access security broker (CASB) can improve security by giving access to cloud applications by making a connection before providing access.

Balancing security with risk

Cybersecurity is all about finding that equilibrium between what risk is acceptable and what is not. Once businesses assess that, preferably in a way that put risks in monetary terms so the business case is understood, they can begin to build their cybersecurity posture. Even though zero trust does protect a business and is useful for organisations to implement, is not a product which businesses can buy off the shelf and assume that they are fully protected.

Implementing zero trust requires work, but is also a critical part of the arsenal of solutions and approaches that organisations need to leverage to stop the highly sophisticated and increasingly aggressive hackers.

Related Articles

Top Stories