By Maheswaran Shamugasundaram, Country Manager, Varonis
Cybersecurity has never been as important as it is today. With the variety of ways in which the blast radius of attacks has been expanding, cybersecurity providers have to constantly adapt and evolve. One recent innovation is Zero Trust which departs from convention models of perimeter protections. Zero Trust has recently become somewhat of a buzzword that is not always completely understood or properly applied. Truly reaping its benefits requires a complete and robust understanding of an organisation’s data landscape to set up thorough access controls. Without this, many of the benefits of Zero Trust are lost rendering it more a diluted version of conventional models.
The basics of Zero Trust
Zero Trust is not a straightforward solution as such. It is better described as an approach, strategy or architecture that departs from conventional models of security that focus on protecting network perimeters, assets and applications. In a Zero Trust model, all users need to be authorised, authenticated and validated continuously to access an organisation’s applications and data, regardless of whether they are outside or inside that organisation.
Zero Trust is built upon the assumption that perimeters will fail and the networks will be compromised. As such, there is a need for users to verify that they are not attackers and their access is also limited to ensure that a compromised account doesn’t have complete access to all data and applications on the network. This also has the added benefit of increasing protections against insider threats, one of the more prominent weaknesses of conventional perimeter-based cybersecurity models.
The importance of data
Unfortunately, not all implementations of Zero Trust carry it out to its logical conclusions. Some limit access on the basis of networks, identities, assets and applications rather than on data. What ends up happening is that the USP of Zero Trust’s departure from conventional perimeter protection models is lost. Instead, these implementations crudely draw micro-perimeters within the network on the basis of stratifications like departments. As a result, while a compromised account may not be able to access all data and applications on the network, they will be able to do so in their department.
The problem with micro-perimeters that are drawn this way is the same faced by network perimeters – that in today’s world, data rarely stays within perimeters and is often transferred or replicated outside. This is why the only viable micro-perimeter is the data itself as it is the best site to place access restrictions where usage can be authorised and monitored.
Doing Zero Trust right
The first step in a Zero Trust approach should therefore be to completely plot out an organisation’s data landscape along with access permissions and requirements. This is no easy task, and is both arduous and complex. But it is well worth it as it allows you to create protections around the prize that most threats seek – data, especially sensitive data. Categorising all your data enables organisations to not only understand what data is important and sensitive, but where it is located as well.
The next step after data is categorised is to switch to a default state where no user is trusted and all users have to verify themselves before accessing any given piece of data. Ideally, this should function in a least-privilege model where the data is only made available to those users who cannot perform allocated tasks without accessing it. This is the most thorough way of siloing sensitive data to prevent it from threat actors that have bypassed perimeter protections and are operating within the network.
However, simply restricting access is not sufficient. The final and perhaps most critical step of Zero Trust is the tracking, monitoring and analysis of usage. Zero Trust is no silver bullet or panacea that will totally prevent breaches and compromisation of sensitive data. Limiting the authorisation of usage cannot measure intent – it is possible that the authorised user is acting maliciously or is compromised in some way. This is why it is essential to monitor all usage of data to identify malicious use of data after the fact. This can be achieved by establishing baselines of behaviour using data enrichment and machine learning that can be used to identify anomalous and possibly compromising usage.
Zero Trust is the future
There are many benefits to implementing Zero Trust properly, which is why it has become so popular in cybersecurity. The first advantage is that it creates a more remote workforce as modern office dynamics are being redrawn with cloud applications and remote working. The greater network and system visibility that results from a Zero Trust approach is also extremely beneficial when deciding optimal security strategies. While all data should ideally be protected to the maximum extent feasible, organisations can prioritise the allocation of resources to especially sensitive data. This granular understanding also makes organisations more agile and capable of responding to regulatory changes and compliance requirements promptly.
It is clear that Zero Trust offers many advantages as a cybersecurity approach if done properly. With a foundational understanding of an organisation’s data landscape, Zero Trust is a strategy that is better suited to deal with the increasing sophistication of attacks that are now a complex weave of hardware, software and social engineering exploits.