COVID-19 and the Acceleration of a Zero Trust Strategy
The global pandemic has caused many changes, among them an accelerated need for a zero trust strategy. Dr Michael Axelsen shares his insight into whether zero trust models are the answer to network security in the new normal.
As COVID-19 took hold and forced organisations to pivot to working from home, gaps in IT infrastructure were exposed. The traditional approach of protecting the perimeter is dated and largely pointless in a remote worker environment. The answer? A strong IT infrastructure and an effective use of digital identity. It’s for this reason we’ve seen the zero-trust strategy emerge at an accelerated rate.
As we continue to work towards a COVID normal, we know that remote employees will play a large part in the future of work. As such, IT teams and CSO’s need a comprehensive approach that will mitigate the risk of hybrid attacks against their organisation.
Why a Zero Trust Strategy?
Dr Michael Axelsen, Senior Lecturer in Business Information Systems at the University of Queensland says the evidence clearly shows COVID-19 has accelerated the update of zero trust strategies.
“You might recall Ronald Reagan saying ‘trust, but verify’. Well, a zero trust strategy is almost the opposite of that. It’s really more ‘never trust, always verify’,” Axelsen tells Security.
“The whole approach of a ‘zero trust’ strategy is to ensure that all access is verified, every time access occurs, according to an authentication and access protocol. COVID-19 has spurred this increase as the flaws in the traditional network security model have become apparent.”
Questioning everyone means being able to reliably identify each person, which is key for maintaining security of data stores. Micro-segmentation of networks also ensures people only have access to specific resources. For example, a network could be configured to only allow access to human resources information to HR staff.
Key Enabler for Convergence
As physical and cyber security converge, opening organisations up to risk, zero trust can thwart any physical breaches. A traditional approach places trust in the authenticated device, leaving a trusted device vulnerable to being compromised and spreading to other devices on the network.
“A zero trust strategy would prevent that physical breach to allow access to digital assets because of its authentication and access protocol. The physical device is part of that protocol, and it is verified every time it is used to access the digital asset,” says Axelsen.
“Although the Zero Trust strategy isn’t sufficient for the convergence of physical and cyber security, it is a key enabler of such convergence. Physical security of the device and the cyber security of the device can be addressed using the same strategies and tools.”
Zero trust makes sense in a COVID-19 world
We’ve seen the pandemic create a plethora of opportunities for bad actors to infiltrate networks, shining a spotlight on potential holes in perimeter protection strategies.
“The trouble here is that, once an authenticated device is compromised – or, a trusted employee goes ‘rogue’ – the bad actor is free to roam around inside the ‘walled garden’ of the business’s data and applications,” says Axelsen.
“But even more so – and particularly in a world of ‘working from home’ – the devices that access our data are now often out and about and are not ‘on’ our network, but to make remote access easier, the device is allowed to access the network if it is authenticated and trusted. Such trust though can be misplaced.”
Not surprisingly, then, interest in zero trust networks has skyrocketed globally. A report by okta found 50 per cent of ANZ respondents surveyed were embarking on zero trust initiatives, close behind North America’s 60 per cent.
Axelsen says zero trust borrows from The X-Files’ Fox Mulder: ‘Trust No-one’, and by establishing a firewall – or fortress as Axelsen likes to think of it – around the digital asset that only allows legitimate requests that meet certain standards in order to pass through.
“This protocol sets a higher benchmark is very different to assuming that the transaction is legitimate if it comes from an authenticated and authorised device.Rather than trusting a user and a device, every access to a digital asset is verified.”
Zero Trust Protects Consumer Confidence and IT Team Workflow
It’s well known that the cost of cybercrime for organisations can go way beyond financial. Dealing with cyber-attacks can seriously disrupt business operations, impact reputation, and waste significant amounts of IT staff’s time and energy. Particularly frustrating for teams when the attacks are preventable.
Take the telecommunications firm TalkTalk, for example, who had the personal details of over 150,000 customers hacked. On top of the cost of managing the incident, they lost more than 100,000 customers. They were also fined £400,000 by the Information Commissioner’s Office after being found guilty of a serious breach of UK data protection laws.
Furthermore, 85 per cent said they would not do business with a company if they have concerns about its security practices, while 87 per cent said they would take their business elsewhere if they don’t trust a company to handle their data responsibly.
Improving Employee Experience
To internal teams, it might seem like zero trust security is more a hassle than a help for employees. But well-designed zero trust networks that incorporate password-free authentication and intelligent automation allow IT teams to waste less time patching up perimeter defences, responding to false threats, or resetting forgotten passwords.
The simplicity and speed of biometric authentication is often appreciated by non-tech staff itching to get their day started and it is this benefit that should be popularised to staff
“The benefit is that devices and digital assets can be given access to digital assets no matter where in the world they are taken,” says Axelsen.
“Under work-from-home arrangements, these devices are often being used everywhere BUT on the network. The Zero Trust approach means that these devices can be utilised wherever they are without the need to compromise security.”
The challenges of a zero trust strategy
“The key challenge of a Zero Trust strategy effectively is that it requires a relatively sophisticated maturity in the security approach,” says Axelsen.
“This is a non-trivial exercise – it’s quite darned difficult in fact. And although the technologies exist to establish these micro perimeters and such, the usual problem rears its head once more: people are the weakest link in the implementation of any technology. Change management is, as in many things, a chief concern in implementing a zero trust strategy.”
Initial difficulties include having an access authorisation and control access policy both developed and implemented for each digital asset. Each single user sign and user identity must be in place. Ensuring each device is authenticated, with access policies implemented.
“Zero trust strategies disrupt the status quo, break user access models, and can end up causing considerable user difficulties due to such change. Technically, Zero Trust is eminently achievable, but the ‘people’ issues can become a sticking point,” explains Axelsen.
Despite the challenges, implementing a zero trust strategy may free up your IT staff’s time and energy to spend where it’s most useful, rather than patching up holes in perimeter defenses – both now and in the event of future scenarios that accelerate cyberattacks.
As we continue to work less on site and approach a COVID normal, zero trust strategies are likely to continue gaining popularity among IT teams globally.
To read more articles like this or to stay up to date with the industry, subscribe to the Security Focus Newsletter and receive monthly updates.