Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Is Zero Trust the Future for Data Security?

Zero Trust

Prior to the advent of the coronavirus pandemic, the term ‘zero trust’ was seen by many as just another industry buzzword that was thrown around until the next one came along. However, as employees across the globe were forced to work from home as a result of the imposed restrictions, companies were forced to adapt their security strategy to accommodate the ‘new normal’. The implementation of zero-trust is now being seen as a crucial step towards keeping our systems and data secure in a remote working environment.

The traditional perimeter-based approach to data security is analogous to the castle surrounded by a moat, where the good guys are on the inside defending the castle from intruders. As working environments become more distributed and dynamic, this paradigm is rapidly becoming obsolete.

The first problem with this approach is that it is predicated on the assumption that everyone inside the castle either has good intentions or that they won’t make mistakes that would allow an intruder to sneak in. Unfortunately, neither of these assumptions is true. The reality is that insiders, whether malicious or negligent, present a huge threat to the security of our systems and data.

As increasingly more organizations move their business operations to the cloud, there is no longer a castle, let alone a moat. As such, the obvious solution would be to design protocols that align with the “never trust, always verify” mantra that is a part of the zero-trust ethos.

How are Companies Adopting a Zero-Trust Approach?

According to a report which was carried out prior to the outbreak of the coronavirus, North America is leading the way with 60% of organizations saying that they are transitioning to a zero-trust model. 50% of organizations in Australia and New Zealand, and 18% of organizations in Europe and the Middle East, have also shown interest in shifting towards a zero-trust approach.

The report also pointed out that certain industries, such as healthcare, finance, and manufacturing, were more interested in zero-trust than others, which is what we would expect given that organizations in these industries are responsible for large amounts of sensitive data, and are thus frequently targeted by cyber-criminals.

In the early days of the pandemic, many organizations were advised to enforce the use of VPNs (Virtual Private Networks) as a means of ensuring that remote workers were able to connect to their network, from potentially unsecured locations, in a way that could not be intercepted by adversaries. While this approach may still be advisable in some scenarios, it should not be seen as a permanent solution for all employees, as VPNs were not designed for this purpose. In other words, simply using a VPN does not constitute zero trust. Companies must conduct comprehensive assessments of their environment, and decide which systems and data are at the highest risk. They must develop a comprehensive zero-trust strategy, implement the strategy, continuously monitor the effectiveness of the strategy, and make improvements when necessary.

It is important to understand that switching to a zero-trust model is not something that will happen overnight. It requires careful consideration and planning. It requires ongoing management and maintenance, and all of this requires time, effort, and money. You must also ensure that your employees are well versed in the new procedures and protocols, and are aware of the reasons behind them, otherwise, they might put up a resistance.

What are the Trends Driving the Adoption of Zero-Trust?

As mentioned previously, the main trend that is driving the transition to a zero-trust paradigm is the shift from a centralized working environment to a decentralized one, as this requires a more remote, flexible, and agile approach to accessing company resources. However, there are other important trends that we should look into, including;

The Growing Use of APIs

Increasingly more organizations and software vendors are using APIs (Application Programming Interfaces) for aggregating data from multiple platforms and sources. APIs can be very useful for tasks that involve automation and orchestration, which in turn will help to drive the adoption of zero-trust. Companies may use their own internal APIs, while some will be developed by third-party vendors. APIs also comes with a number of security risks, and so each and every interaction with an API that has access to sensitive data needs to be controlled. Developers must have complete control over who has access to the API, including the specific functions they can use. They must also have control over the authentication protocols that are used to access them, which might include basic authentication, OAuth, or MFA. APIs will no doubt play an important role in zero-trust environments (and visa versa) as they provide a simple way of interacting with a multitude of systems and services, in a secure and deterministic manner.

Protection Against Compromised Devices

As mentioned previously, a large number of security threats come from negligent and malicious insiders. As such, there is a growing need for organizations to keep a close eye on which endpoints are connecting to their network, and whether those endpoints have been compromised in some way. It’s important to note that just because an employer is accessing the network using a company-issued device, doesn’t mean you should automatically trust it. After all, the device may be infected with malware that monitors an employee’s keystrokes in order to capture their credentials. Ideally, companies should use some sort of device management software, which will be installed on the company-issued device. This will give admins more insight into whether the device has been compromised, and other relevant information, such as any configuration errors or unpatched software. As always, the principle of least privilege (PoLP) is necessary to ensure that users only have access to the resources they need to perform their role.

The Need to Access and Share Protected Health Information

Another factor that is driving the adoption of zero-trust is the need for healthcare providers to share information amongst patients and practitioners in a secure and flexible manner. As I’m sure you already know, due to various reasons, the healthcare industry is a prime target for cyber-criminals. To make matters worse, healthcare providers are typically bound by budget constraints, and thus need to find affordable and effective ways to protect their systems and data. The optimal way to protect sensitive patient data, whilst ensuring that it is accessible to those who need it, is to ensure that each patient record has its own unique access controls assigned to it. When a practitioner requires access to a patient’s information, either the patient or a trusted authority will need to authorize the request, and revoke access when it is no longer required. That way, were an adversary to gain access to an account with admin-level privileges, they would still need an additional set of credentials to access the patient’s records. Eventually, patients will likely have complete control over who has access to their personal data, including the right/ability to port their data to third-party storage containers.

Zero-Trust is Here to Stay

Numerous technologies are emerging that are designed to facilitate the decentralization of the internet, and in turn, the perimeters which safeguard our data. In other words, all systems, services, devices, and data, will need to have their own perimeters and will be required to authenticate themselves anytime they need access to critical systems and data.

If you’d like to see how the Lepide Data Security Platform can help you implement zero-trust across your on-premise and cloud environments, schedule a demo with one of our engineers.