“Don’t Trust Implicitly, Always Check” is the New Security Mantra
By Surendra Singh, Senior Director & Country Manager (India), Forcepoint
1.25 billion people registered in Aadhaar, the government’s unique digital identification initiative, and accessible to government and financial agencies for online verification; A whopping 950 million plus active wireless subscribers in India; All schools in India to receive free Wi-Fi; Digitization of all citizen-centric services and social sector scheme… In a country of more than a 1.3 billion people where government and private sectors are following an aggressive digitization agenda, how do you protect cyberattacks from happening in a system that is accessed by hundreds of thousands of people?
In comes the concept of Zero Trust, which is based on rigorous verification of the identity of each person or entity that attempts to access network resources, from within the company perimeter or remotely.More of a security philosophy than a piece of technology, this innovative approach can be described as “don’t implicitly trust, always check”, unlike the traditional security models which are based on “trust, but check”.
Advantages of checking identity before giving user access
The main advantage of using an architecture that does not implicitly trust users is total protection of the network, both from outside threats and from those inside the network. Traditional security models, such as Defense in Depth, focus protection on the perimeter of the network, but this approach is now ineffective for modern companies where most violations occur internally. The exfiltration of data is very simple if you already have access to the network, which is why this approach allows you to inhibit access until users are verified and clearly identified.
Furthermore, this type of architecture also guarantees greater protection of data that is located outside the network: in fact, companies are increasingly deciding to store sensitive information in the cloud. Turning attention away from the perimeter and focusing on identity verification gives such networks that allow access to only trusted users the ability to protect data no matter where it is located.
Basic principles of a network that does not allow implicit access
There are several technologies and best practices which can be used to build a network architecture that works on the principle no user should ever be trusted, unless verified first:
• Access with minimal privileges, which means only allowing users access to the information they strictly need. This reduces the paths generally used by malware and scammers and reduces the chances of internal data exfiltration
• Micro-segmentation divides a network into separate segments with different login credentials. This increases protection and prevents criminals from infiltrating the entire network even if one of the segments is violated.
• Multi-factor authentication (MFA) requires two or more methodologies to prove that the user is really who he claims to be. The use of an MFA tool provides reliable identity verification, which is essential for any no-implicit trust-based model.
• Risk-adaptive safety checks are necessary in order to analyze the behavior of people or entities and identify potentially risky activities in (close to) real time. Gartner calls this Continuous Adaptive Risk and Trust Assessment (CARTA).
How to implement a zero implicit trust architecture
It is possible to approach this new security model in various ways, but there are fundamental assessments that all companies will need to do if they want to adopt an efficient zero implicit trust architecture, such as:
• Consider adding all the necessary technologies and tools to existing equipment
• Next generation firewall: it is essential to have adequate tools that provide network protection, decode traffic and that help with micro-segmentation.
• Risk-adaptive security tools: To apply adaptive controls, you need to have all the tools you need.
• Multi-factor authentication: there are different options and suppliers of MFA, however it is vitally important to choose the one that best suits the needs of your company.
• Understand the real access needs: it is necessary to establish precisely which data each user can access, in order to grant the minimum access privilege and limit possible risks.
• Corporate culture: both at a general and granular security level, corporate culture is crucial for the effectiveness of any security model adopted. In the case of a zero implicit trust model, in which both external and internal threats are assessed, a knowledgeable and informed workforce is the key to success.
COVID-19 accelerated digital acceptance and absorption at a global level bringing with it a different level of cybersecurity issues. Where earlier remote-work used to get split votes, it has now become an accepted norm. Financial e-transactions have become more of a necessity than an accessory. Online education has increased the risk of children being subjected to cyber frauds. There is, therefore, no better time than now for organizations to look at a zero implicit trust model to secure their networks, data and users.
