Earlier this year, the world was hit with several ransomware attacks. These attacks can be paralyzing to operations and rather fear-inducing, especially if an organization faces the prospect of losing data or dealing with a PR disaster. Governments have stepped up to identify and arrest those responsible for the attacks. While these developments are welcome, it doesn’t change the ongoing threat to technology. Organizations need to take additional steps to secure their platforms, and it’s part of the reason why I operate with a zero-trust mindset.
You may have heard of zero-trust in the news. Rather than being a catchphrase, it’s an operating doctrine that seeks to provide some of the highest levels of security in a volatile environment. In this post, I’ll explain the concept of zero-trust and how you can implement these principles in your organization.
The Principles of Zero-Trust
One way to think about IT security is to imagine your own home. You have windows and doors that can allow people to come and go, and you can lock those entry points whenever you’d like. Only people that you trust are allowed in your home and closed-off entry points ensure that’s the case. This traditional perimeter security model assumes the bad guys will always stay on the outside of your home, in an area that you do not fully trust.
Zero-trust eliminates the notion that anyone coming into your home is friendly. Instead of allowing anyone to come and go as they please, you place limits on who can come in, what they can access, and you keep a record of who comes into your home. This can feel rather paranoid in our home analogy, but in digital spaces, it’s sometimes difficult to discern between authentic, trusted users and malicious ones. If you’re looking to get started with a zero-trust posture, there are a few tools that can help.
Typically, when we log into a website like our email accounts, we enter our username and password before being granted access. If a malicious user has these credentials, they can easily gain access to our account. In addition, the user can then use password resets to get access to other accounts. One of the solutions to avoid having critical accounts compromised is to use multi-factor authentication (MFA).
MFA can come in three categories, and you typically present two for authentication. The National Institute of Science and Technology explains that the categories can be something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). In order to qualify as MFA, you have present two credentials from different categories. In the case of email, you will still enter your username and password, but then you may have an authenticator app on your phone to send a one-time code that you have to enter in order to be given access.
Banking institutions, email clients, and other websites with sensitive information are making MFA integrated into their operations—even a standard, in some cases. You can contact those companies for help and discussing options with your IT team will also be a great way to get started.
It’s not uncommon for companies to be operating on a remote basis as a result of COVID-19. What’s also not uncommon, unfortunately, are the number of devices used to access company email, servers, and other applications.
If your organization plans to have hybrid work for the foreseeable future, you should consider having employees use dedicated IT devices. Dedicated devices can have some features restricted; be configured to the organization’s VPN; and devices that access organization assets can be logged. Logging is a way to determine who is accessing your services at any given point. Devices that are not inventoried or authorized to access specific information can be ejected.
Some of these devices may be the personal property of an employee who will do work for the company early in the day and then uses that same device for personal computing in the evening. If employees engage in unwise IT practices on their personal devices, information from your organization can ultimately be compromised. Which leads to a third component of zero-trust security.
A Culture of Zero-Trust
Humans play a large role in IT errors and breaches. Kaspersky Lab estimates that possibly ninety percent of data breaches can be attributed to human error. Developing a culture of zero trust among employees is another way to bolster security. Effective password hygiene, for example, means employees avoid using the same password for multiple accounts. This is especially important to avoid linking a password for one account (say, a social media channel) with the one used for the org’s banking info or an employee’s email account. More than half of people admit to doing this, and that doesn’t include the number of people who still use “Password” for accounts.
Reports from IT companies dive deeper into the concept of zero-trust if you want some more information on the topic. What do you consider to be your biggest obstacle for zero-trust? What are some of the strategies you used to implement zero-trust with your team? Let me know your thoughts via Twitter, @SusanneTedrick.