[BreachExchange] Four Ways to Achieve a Zero Trust Security Model

[Destry Winant]

https://www.securitymagazine.com/articles/91483-four-ways-to-achieve-a-zero-trust-security-model

Put 2019 in the record books — for cybercrime, that is.

According to Risk Based Security, a global leader in vulnerability
intelligence, breach data and risk ratings, 2019 was on track to be
“the worst year on record” for cybercrime. We’ve seen this to be true
in the near constant headlines of ransomware, viruses, trojans and
phishing incidents wreaking havoc on businesses of all sizes. These
attacks are not only increasing in frequency, but in revenue impact
and sophistication.

Last spring, ransomware attacks on the data networks in Baltimore,
pioneered by a brand new strain of ransomware called RobbinHood,
resulted in network downtime costing at least $18.2 million in lost
revenue. This is far from a blip on the radar. Juniper Research found
that cybercrime has already produced $2 trillion — with a “T” — in
damages and it estimates that number with reach $6 trillion by 2021.

All this bad press has translated into difficult conversations between
customers and IT professionals — whether you do it all yourself or
enlist the help of a Cloud Service Provider (CSP). The fact is, if you
are an IT developer, buyer, or someone who can be impacted by
cybercrime (which is basically all of us), having a cursory
understanding of data security is a requisite part of the job.
Otherwise, you risk putting yourself, or your company, in harm’s way.

Preparing for 2020

The first step to resolving this problem is admitting it exists — and
that’s what many organizations are doing as they prepare for
cybercrime in 2020. Our capabilities to defend against cybercrime are
improving as organizations spend more on security and advance and
focus their strategies. One such strategy is called “Zero Trust,”
which incorporates technology, services, people, and processes into a
cohesive approach that includes multiple layers of defense.

Developed by Forrester Research a decade ago, the Zero Trust security
model can be summed up as “never trust, always verify.” In other
words, whether a connection to a system or data is attempted from
inside or outside the organization’s network, no access is granted
without verification. Zero Trust is necessary because traditional
network security can no longer keep data safe from today’s advanced
threats.

Four Ways to Achieve Zero Trust

Let’s start with a helpful analogy: If you enter your house through
the front door, you expect to have access to all the rooms inside. In
a Zero Trust world, you would not necessarily have access to all rooms
automatically. In fact, you may not be able to go beyond your entryway
without further permission.

To achieve the level of security necessary for Zero Trust, I recommend
relying on these four core tenants: physical security, logical
security, process, and third-party accreditation and certification.

Physical Security

Physical Security remains the first layer of defense. The physical
data center, whether on-premises or in the cloud, represents the
epicenter of customer data. As such, it should also be the primary
defense against cyber theft. There should be a drive to give equal
priority and attention to all data centers you or your CSP manage,
applying consistent security standards across all physical assets.
This includes active monitoring, controlled access to all facilities
via an approved access list, and secure environmental elements such as
power, cooling, and fire suppression.

Logical Security

Logical security refers to the many varied layers of technical
configurations and software that create a secure and stable
foundation. In reference to layers, logical security is applied at the
network, storage and hypervisor layers. Your position, or that of your
CSP, should be to provide as much security as possible throughout each
layer. Be sure to consult with your CSP ahead of time to make sure
your logical security is being handled properly.

Process

No security solution, whether physical or logical (i.e. technology),
is effective without trained and experienced people. If the people
managing the system don’t understand how to work within the controls
established to protect the various systems, the solution will fail.
Quite simply, you wouldn’t spend tens of thousands of dollars on a
home security system, but then leave the keys to your house sticking
out the lock of the front door. Employee background checks, security
and compliance training, regular access reviews, annual penetration
testing against your infrastructure, and regular patching schedules
for all systems are all key to having the right process in place.

Third-Party Accreditation and Certification

The confidence that comes from third-party validation cannot be
overstated. Even the most secure organizations can benefit from an
additional review. You or your CSP should consider adhering to some of
the following frameworks and standards: HIPAA, HITRUST, SSAE16, ITIL,
GDPR, CSA STAR, CJIS, and more.

Back to the Future

In 2019 alone, there have been countless examples of malicious
insiders taking advantage of valid credentials and doing great damage
from within companies. Add the absolutely huge risk associated with
external security threats (ransomware, malware, etc) that seems to
grow daily, and you can see why customers are pursuing Zero Trust
strategies in their IT organizations.

A Zero Trust strategy in your organization can eliminate many of the
vulnerabilities that are left behind by technology implementations
alone. As we get into 2020 and all that it may bring, it’s important
to acknowledge that cybercrime will only increase in numbers, impact,
and sophistication. That doesn’t mean we are helpless, but it does
mean we need to change. A Zero Trust strategy can help with that.