The Zero Trust Model for Living in a Hacked World

Although data breaches happen to corporations, the impact ultimately affects normal citizens like you and me. When we fall victim to credit card breaches, the associated anxiety and uncertainty is not addressed beyond proffered, free credit watch and protection services. Our personal email accounts are also at risk of misuse.

According to CNN, a recent call center bust revealed that scammers had acquired user information from trusted systems and leveraged that information to trick victims into thinking they owed money to the government. The criminals behind it made about $150,000 per day with the scheme. But what can we in the security industry do about it?

Implementing the Zero Trust Model

Organizations must establish frameworks and execution plans for security. That likely means embracing the zero trust model for security.

According to a National Institute of Standards and Technology (NIST) report titled “Developing a Framework to Improve Critical Infrastructure Cybersecurity,” zero trust security requires IT teams to abandon the old paradigm of “trust but verify.” Instead, security professionals should verify but never trust. NIST built on the zero trust framework to guide corporations in their efforts to build, monitor and manage robust security infrastructures.

The zero trust model requires all resources to be accessed securely regardless of location. This can start with low-impact, cost-friendly projects, such as software-defined wide area network (SD-WAN) solutions, to encrypt and securely transmit data over a network. Create network segmentation by leveraging virtualization technologies or network design, and establish access controls based on trust. Use a network security solution, cloud access security broker (CASB) and other vendor technologies to secure, inspect, block and tackle intrusion attempts.

When implementing the zero trust model, IT leaders should strictly enforce access control with a policy of least privilege. This involves identifying users and systems and explicitly providing access to trusted applications, networks and data rather than applying blanket privileges. Adopt policies to validate continuing user access, such as continuous business need (CBN) and quarterly employment verification (QEV). Use that as a basis to monitor user access and the life cycle from creation to deletion. Track changes that result from users moving between departments.

Approaching Access Management

It’s critical to monitor access and privileges and record adjustments as users’ roles change. For example, when an employee leaves a company, the IT team should withdraw all access from that individual. An access management solution can help identify employees who require access to resources, track their usage and provide personal accountability. IT teams can create privileged user activity monitoring and audit solutions by combining access management with a security intelligence solution or service.

With the increased use of cloud comes a slew of risks related to shadow IT. It is important to implement monitors to identify and track the movement of critical data residing in sanctioned IT locations, including on-premises. We can start to solve the problem of shadow IT by leveraging a CASB solution to discover corporate connections to and from data in the cloud. Through identity access federation, CASB technologies can secure transmission and offer protection to help customers prevent businesses or users from creating shadow IT, and enable them to securely leverage sanctioned IT.

Rethinking End-User Security

Given the rise of bring-your-own-device (BYOD) policies in the enterprise, it’s critical to examine cloud access and protection strategies. In the days of static desktops and client server access, all end users were housed within a defined and trusted corporate network perimeter. IT managers could minimize the risk by simply protecting the perimeter.

With the progression of mobile and cloud technologies, however, the enterprise expanded, becoming a combination of trusted and untrusted users and devices. This makes it difficult for companies to track the movement of sensitive data and causes vulnerabilities to proliferate beyond the perimeter.

One way to control user access is to use a virtual desktop infrastructure (VDI). All corporate transactions occur through the VDI, which can be secured using advanced endpoint security solutions. IT teams can mitigate risks by channeling the user access to corporate IT assets, such as data centers and cloud networks, through a secure VDI. This also helps to track the movement of sensitive data and plug vulnerable spots in the network.

Managing Risks

Every corporation should incorporate a risk management program and conduct periodic reviews to measure the effectiveness of the adopted framework. IT leaders must also implement measures to assess the maturity of the process and the users adopting it. By following a step-by-step procedure, basic security measures can mature into fully optimized management and monitoring processes.

Savvy organizations should also maintain a rigorous employee education program to provide comprehensive training on endpoint and social network usage, among other things. The right program highlights the risks of devices and offers best practices to minimize that risk. If your company does not have one, consider starting one internally.

Finally, remember that you should never place security in a commoditized services bucket. Clients should embark on a journey to enable and update a comprehensive security policy.

Register for the webinar: Zero Trust Security for the Infrastructure and Endpoint

Share this Article:
Srini Tummalapenta

Chief Architect & STSM of Managed Security Services, IBM, IBM

Srini Tummalapenta is the Chief Architect & STSM for IBM Managed Security Services. During his 16 years with IBM, he has worked as an IT Architect with a global team providing infrastructure architecture, security solution architecture, delivery architecture and transformation. His 19+ years of IT experience have made him a subject matter expert in the areas of information security and event management. Srinivas holds degrees in technology and business administration.