Zero trust for the cybersecurity hydra

The switch to working from home and a rise in cybercrime globally during the covid-19 pandemic means that boards can’t protect their organisations in the same way they did in the past.

Hilary Walton, chief information security officer at network and technology solutions group Kordia Group, says the world of cybersecurity has changed and is now all about having “zero trust”.

“We used to think that cybersecurity in organisations was basically about placing a hard crunchy shell around them with firewalls,” she explains.

“In the past, people were working in offices and going out onto the internet through the big corporate firewalls that used to protect them. But now people are frequently working remotely because of covid-19 and going out to the internet through their own internet systems at home. And these don’t have the same amount of protection.

“The corporate firewall is just not going to work anymore. Cyber security is becoming really hard to keep up with so we need to think of other ways to protect our organisations. It’s no longer ‘if’ but ‘when’ a cyberattack will happen. Plus, it’s almost moving beyond that. You should assume that the organisation is already compromised.

Trust nobody

Walton says when it comes to a “zero trust” approach, nothing can get into the network unless it meets very specific requirements.

“It will only allow people or traffic onto the networks when they have been identified, certified, authenticated and proven,” she says.

“It’s about looking at the context in which the user is entering the network, what date and time they logged in, what geolocation they were in and what device they used.

“For example, I join from my home network. Then my device is checked to ensure it has all the software updates. The system then checks that it is me and that I am logging on at the time it would expect me to do so and from a place I would be expected to log on from. My computer should not be logging in from Africa, for instance.”

Walton continues: “In the auditing world, they use a saying: ‘trust and verify’. Auditors will trust what you are telling them and then they will go away and verify it by getting some evidence. ‘Zero trust’ is a bit like that, except it doesn’t have the trust.

“It’s kind of like a ‘default deny’ policy. It’s not going to let you in unless all these default criteria are met. And, then when it does let you in, it will only give you access to what you need access to, rather than all the apps in your organisation.

“Many companies don’t actively have their networks monitored 24/7. Often, they are monitored by the IT team working nine to five. But what we find is that most of cyberattacks happen during business hours rather than on the weekend or out of office hours.

“The reason for this is that people are on their computers during business hours, clicking on stuff that they shouldn’t be and entering passwords on things that they shouldn’t be. But with ‘zero trust’ the traffic is inspected all the time to ensure that it is clean and that the behaviour is appropriate. Only when all of that is done, will the door to the organisation open.”

Quicker and seamless

“Zero trust” is set up in a way in which a lot happens without the user being aware of it. It’s a really seamless experience for the user and a massive tick in terms of IT,” Walton says.

With “zero trust”, she says your organisation will still need two factor authentication – that is, an extra layer of security to prevent someone from logging in. But “zero trust” gets rid of the need for things like virtual private networks or VPNs which allow the data traffic to your organisation to be routed through an encrypted virtual tunnel.

“Other things are done instead and users like that because they take away some of those hurdles that they had to overcome to get into the organisation’s systems, like firing up the VPN and waiting to connect, which can take more time.”

Walton says “zero trust” is a different way of thinking about your IT architecture and it’s one of those things that it will take a while for people to get their heads around.” 

It’s also not one product, but a suite of products.

“You can use lots of different vendors and lots of different IT products. This is where the help of experts is really key,” she says.

“Before you get started, you need to think about what you are currently using in terms of IT and security products and whether any of those can be used to create the architecture for all the different products you may need to consider as you move towards ‘zero trust’. Also think about whether you will move in one big bang – that is, get it done in, say, six months – or whether you will progressively move your organisation towards ‘zero trust’, say, within a couple of years.”

A new approach

Walton says “zero trust” is a mindset. And then you look at the products around it.

“What you are basically saying in the organisation is that you are not going to trust people. But it’s not actually about people. It’s about devices and traffic across the network.”

But Walton adds that human error is an issue when it comes to cybersecurity. People make mistakes and expose their organisations because of poor behaviour, she says.

“With ‘zero trust’ you are helping individuals with bad security habits come into an organisation with good IT health so that they don’t compromise the organisation.”

In addition, staff online activity used to be hidden because this would be inside corporate networks in the office, but people working from home often have less protection, says Walton.

“After covid-19, people will still be working from home through a hybrid working model. People aren’t just going to go back to the office fulltime. People recognise that flexible working can be good and useful. There are benefits for both employers and employees.”

Questions for directors

Walton says boards need to have the “zero trust” discussion with their executive teams. They also need to know what the “zero trust” journey looks like and they need to be proactive. Some of the questions they could be asking include:

• Does our board have enough knowledge about cyber security and types of threats? If not, which experts can we speak to and what courses or webinars can we do?
• Do we fully recognise the risks posed to our organisation by cybercrime, such as fraud and loss of customer data and reputation?
• How is the board going to prioritise “zero trust”?
• What is the business case that has come up to the board around “zero trust”?
• Out of all the IT projects being examined for “zero trust”, which have the biggest risks and how will these be mitigated?
• How do we deploy “zero trust” across the business?
• How do we measure the results? After introducing the “zero trust” architecture, has the organisation actually reduced cyber incidents?

What do we mean by "zero trust"?

• Evolution of the concept of “least privileged” access 
• Never trust, always verify
• A set of architectural principles and concepts that is data and identity driven
• A journey of continuous improvement
• Building, designing and operating with the mindset that the network is compromised

Breakout: what do we need to do?

• Positively identify systems before granting access to other systems and data
• Encrypt, encrypt, encrypt
• Deal with blind spots
• Scan, analyse, and detect on the assumption that you will be compromised