Is your business at risk by being too 'trusting'?
Is your business at risk by being too 'trusting'?
As organisations continue to implement digital transformation and adopt emerging technologies, it is becoming increasingly difficult to secure their networks against cyberattacks, as the ecosystem in which their critical information resides has become significantly more complex.
The pervasive nature of the internet and the adoption of technologies such as mobility, the Internet of Things (IOT) and edge computing have created new vulnerabilities for corporate networks, necessitating that organisations change their approach to security.
The traditional approach to preventing security breaches, commonly known as the "castle-and-moat" model, assumed the crown jewels (critical data) were safely housed inside the castle (datacentre), and protected by a moat (firewall). Therefore, all users and devices that were authorised to have access to the network were automatically trusted.
However, the landscape has changed to the extent that critical data has moved out of the traditional datacentre and may be hosted in a service provider's datacentre or in a cloud solution, or even in several cloud solutions.
Additionally, edge computing has created a distributed computing platform, making this landscape infinitely more complex, and the advent of mobility means that organisations no longer have a user with a fixed desktop device, logging in from a known application. There could now be a number of users using a number of devices, to access the environment from different networks and different physical locations, at any time.
Consequently, the traditional approach, based on implicit trust, is no longer sufficient to secure critical information. Businesses need to adopt a "zero trust" approach that strips trust from all entities within the organisation and assumes that no user or device can be trusted and must always be verified when accessing the network.
The importance of adopting a zero trust approach becomes apparent in view of the findings of a study by IBM, which states that a single data breach now costs $3.92 million (R57.48 million) on average.
Last year, one of South Africa's major insurance companies suffered a data breach that exposed the personal details of millions of people, while global corporations such as Facebook, LinkedIn and Uber have also been compromised in the past.
The broadened threat landscape has increased organisations' attack surface, as there are now many more ways for cybercriminals to access information. Considering that users' credentials are regularly compromised through phishing, social engineering and malware, organisations can never assume because a device is accessing a particular data set, using an authorised username and password, that the entity performing that task can be trusted.
A zero trust security approach must be designed from the inside out, starting with securing the data, and establishing which systems and users have a reason to access that information. More layers of protection are then added, working outward from that core data set.
Organisations must not only authenticate a device that is accessing their network, but also ensure that the user operating that device is indeed the person authorised to do so. Furthermore, it needs to be established where the device is accessing the network from, and if the credentials, which may be valid, have an authorised purpose for accessing that specific data set.
Within this context, it must also be determined whether the user is acting appropriately when accessing this data. Various technologies can be used for this, including behavioural analytics, which can detect if a user, who generally accesses the network during a particular time of day and from a specific location, is suddenly logging in at a different time, from elsewhere in the world.
Some of the technologies that can enable a zero trust security policy can be purchased from a cloud provider, but there are some pitfalls. The risk to anyone but a large organisation – that has well-qualified and extended IT and security teams – is that they simply do not have the experience and exposure required to define the strategy and the resulting policies.
Using a managed service provider that has broad experience in the attack landscape and can apply this across different industries and different sizes of organisations, with different business purposes, is recommended when adopting a zero trust approach.
A zero trust strategy is different for every organisation, as the attack surface that needs to be protected would be unique to each enterprise. Businesses can gain much value from leveraging a managed service partner who has the depth of skills, breadth of knowledge and the experience and battle scars to achieve the required outcomes.
By Lukas van der Merwe, Specialist Sales Executive: Security, T-Systems South Africa.