Adoption Of Zero Trust Policy in times of COVID-19

Zero trust

Remote work has taken over all parts of the world for everything apart from essential services due to COVID-19 pandemic. The businesses which previously were reluctant to provide remote work opportunities, now don’t have a choice. As far as possible, companies have to run even if it is with the newer definitions of normal that are coming about.

But, because of the previous reluctance towards remote work, several organizations have been thoroughly underprepared. There have been inadequate security measures beyond firewalls and antivirus. We now have most businesses working from home. But, what has been compromised in the process?

Are there newer security loopholes? Are personal devices used for business safe? Are the employees well aware of social engineering attempts? Are their access being granted for the sake of it with no detailed list of who has access to what? Most importantly, will it give your security professionals a headache to figure out the answers to all of this?

Irrespective of how chaotic or organized your transition to work from home may have been, some loopholes will exist in the process. One security model that can take your business security from uncertain to trustworthy is the zero trust security model.

Zero trust model – the remote work accelerator

Zero trust security has been around for quite some time. It is often met with apprehension because zero trust stands for – “always verify, never trust”.

This often gets some eyes rolling because primarily organizations are still under the impression that external threats are the only cause of worry.

The truth, however, is the polar opposite. Internal threats are cause for 60% of attacks, according to The IBM 2018 X-Force Threat Intelligence Index.

Even if we were to assume that external threats are the only cause of worry, what happens when these “external threats” wriggle their way into the internal networks? Due to the limited or no friction to access data internally, a hacker could easily spend months sniffing through your sensitive applications, and you wouldn’t even get a whiff of it.

These are troublesome on a typical day. But, when there is a global situation causing businesses to stand still, the opportunities for a hacker are higher.

Here are some instances that have likely been the reality of the sudden shift to working remotely:

  • You weren’t prepared to carry out all parts of your business digitally. You did not have the infrastructure to equip your employees with enough devices to work remotely.
  • There is a lack of clear communication, as one cannot go up to someone’s desk for a particular task. This leads to situations were accesses are rubber-stamped, for the sake of the task at hand. Or there is a long history of shadow IT, where someone with IT admin-level access has been approving accesses, and the IT isn’t aware of it. This leads to IT remaining oblivious to many accesses, which could easily fall into the hands of a bad actor.

These two instances sufficiently explain the loopholes that can exist if remote work is not carried out with security at its top priority.

Due to the lack of devices, employees may even use their own devices. These might lack security precautions, unlike the secure devices handed over by IT. Employees might use their mobile phones for business applications. The applications on these devices might not have received regular security patches. VPN can only provide limited security when you consider the large spectrum of possibilities for a bad actor.

These drive the need, now, more than ever, to imbibe a solution such as Zero Trust Security.

Zero trust is actually quite simple. You verify every access, assume that no access is coming from a secure network. While this might sound intimidating, it is important to note that the “identities” in a network are not just of humans anymore. It is of machines, servers, containers, and more. There have been innumerable cases of corporate espionage, internal threats, ransom attacks, and the list is endless. When humans identities are so vulnerable to attacks, then machine identities are all the more vulnerable.

  • Authentication is a crucial part of ensuring the users are who they claim to be. The efficacy of this process can be seen when there are contextual attributes associated with it.
    Context provides answers to these questions:
    Who is the user? Is the user logging in from a familiar device?
    How about the time, IP address, and the number of attempts to log in?
    Are these in alignment with the previously recorded attributes?
    Based on this data, either the authentication is stepped up, or the access is denied altogether. The number of authentication layers can also depend on the sensitivity of the data the user wants to access.
  • It provides access control, be it internal or external. We know now that accesses are authenticated. But, some accesses shouldn’t be allowed at all. With identity management capabilities, the lifecycle management of all users can be streamlined. Every access request goes through a workflow for approval. Once approved, the manager or application admin could regularly get the report of the accesses at a glance. This leaves no room for shadow IT.
  • Ability to enforce least privilege across accesses can be the barrier to stop a bad actor from moving laterally in a network.
    Consider this, a user’s mobile is hacked due to an old application. This device holds credentials for business applications as well. The hacker could easily obtain business data. The sure way of forbidding this is to limit everyone’s access. Even if it’s privileged access, by ensuring least privilege, setting time limits for access, and with routine password changes, the hacker could be left with nowhere to go.

Zero trust policy indeed gets into several nitty-gritty details. But, imbibing some of the important functionalities to prepare yourself for this sudden digital shift better is the need of the hour.

With zero trust, everyone has silos of access. That’s it. Nothing more, and nothing less. These are clearly defined, and you cannot deter from it without making an access request for it.

It is all the more important now when you cannot see your user, to have a network security model that verifies your user for you, at every step of the way, and all the time.

Identity Management solutions like Compact Identity that are built around providing you with zero trust security is the answer to ensure your business is not deterred with security issues at this time.

Further reading:

  1.   Zero Trust Policy-Always Question Before You Allow
  2.  Zero Trust Policy-The People Perspective
  3.  Machine Learning For Zero Trust: How Can It Be Done?
  4.  Overcome The Myths That Surround Zero Trust

Leave a comment

You must be logged in to post a comment.