In this article, Stacey Dixon teams with ZeroDayLab’s Will Lambert to talk all things Zero Trust, and how we can keep our feet on the ground, even in a world where the cloud is all-encompassing.
We all know the phrase ‘head in the clouds’, and with recent strides in technology, that’s pretty much the case for all of us today, right?
For example, I’m woken each morning by a gentle light and a soft voice, telling me it’s time to get up. When I ask that voice what my schedule looks like for the day, it repeats back the contents of my diary, and even reminds me to pack my umbrella if showers are expected. When I’m finally on the road and remember I’ve left the heating on, I no longer have to turn the car around – I’ve got an app for that.
Before I’ve even started working, I’ve had my head in the cloud more times than I can count. It allows me to interact with my home, manage my life, monitor my health, and it even helps me to drive! When will my wardrobe tell me what to wear? That’d solve a lot of issues.
It’s a Zero Trust Thing
Naturally, letting the cloud assist me with my day means I have to put a lot of trust in the technology that surrounds me. I risk starting my day off badly if my alarm is delayed, or if I get misdirected and hit loads of traffic, or I end up drenched because I didn’t have an umbrella with me.
But this is how a growing number of us are starting to function, with trust seeing us navigate life in the twenty-first century. I’m still awaiting the day I come home to my smart fridge having ordered a thousand blocks of mature cheddar to my door.
With many of these smart devices, the Internet of Things (IoT) is often left with rudimentary security, or nothing at all. Take for example, how many consumers often lack even the knowledge or skills to change the default passwords. That’s not great when freely available tools such as “Default router passwords list” and Shodan can grant even the most novice of hackers intimate access to your network.
Fig 1 – Shodan
So if we’ve constantly got our heads firmly (and trustingly) placed in the cloud, how can we keep our feet on the ground – and keep sensitive data safe?
For many organisations, the zero-trust model is proving to be a popular option, securing technology and data from all potential threats. Yes, it might seem extreme – it was, after all, Josef Stalin who said “I trust no one, not even myself” – but this is the kind of world we live in now. Trust isn’t going to cut it anymore.
The Jammy Dodger Scenario
Let’s rewind a bit before we get into the nitty-gritty of the zero-trust model. Why does it even need to be adopted when there are so many great security solutions available?
The fact is, efforts have been focused too heavily on external threats, rather than the danger posed from within an organisation. For this demonstration, I like to use the Jammy Dodger analogy. If you’re not familiar with Jammy Dodgers, then I urge you to get to a shop, STAT.
With a Jammy Dodger, the two biscuits are smothered in jam, but they only really cover the centre of the biscuit – you can see through the heart, which is fitting for this analogy.
A lot of people dunk Jammy Dodgers, soaking up their tea and nibbling on the outer bits of biscuit, spending a lot of time eating for the sake of it before getting to the really good bit. The outer biscuity area are the external threats organisations concentrate on – the hackers, the malware etc.
But if too much attention is focused there, then the internal threats that come from relying on the cloud (the jammy centre) are missed: disgruntled employees taking customer data to their next role, data being extracted via unsecured public Wi-Fi hotspots, confidential documents being shared externally by accident.
The list goes on and on, and is further supported by Verizon’s 2019 Data Breach Report (Fig 1). Fig 3 of the report shows that errors accounted for 21% of breaches, 15% were via misuse by authorised users, and a whopping 52% accounted for cases of hacking – which would include the provision of fake Wi-Fi which your users may connect to!
Fig 2 – Verizon Data Breach Report 2019 Extract
As we all know, a move to the cloud is something that many organisations are progressing towards. This is mainly due to the numerous cloud benefits on offer, availability, and redundancy.
However, a 6 month study by Proofpoint showed that 72% of cloud tenants were targeted in attacks, and a further 40% had at least one compromised account. This compromise most likely led to Business Email Compromise (BEC) scams, with the FBI reporting losses exceeding $2.7 billion in 2018 – more than double from 2018’s $1.2 billion reported losses.
Of course, you might just think it’s as obvious as securing things and leaving to our CISOs, GDPOs and CTOs to deal with. Unfortunately, it’s easier said than done: it’s a tangled web of delicate threads that could affect functionality and productivity, and must operate within a restrictive budget.
Zero Trust cuts through that web and takes no prisoners in doing so.
What is Zero Trust?
It’s time for that nitty-gritty I mentioned.
With Zero Trust networks or architecture, we trust nothing and no one. We put up a big gate and we question everyone that wants to come through it. If they don’t fit the bill, they aren’t coming in. It’s the ultimate bouncer.
Zero Trust networks look at the devices and users requesting to gain access to organisational data, looking typically at the following:
- IDENTITY – who is the user, where are they, and are they who they claim to be?
- DEVICE – is it in the directory? What type of device is it? How is its integrity?
- POLICY – is the user or the device in line with the organisational policies for security?
- ACCESS PROXY – based on all the criteria above, do we grant this user or device access to organisational data?
What’s even smarter is that it’s not just who or what wants to access data, it’s also how access is being requested into an organisation that is questioned – keeping tabs on suspicious behaviour, which can include geographic location and time of day access. Imagine that bouncer picking out a particularly shifty-looking bloke trying to get in through a window. He’s not getting in.
Waging War on a Diminished Perimeter
Part of the reason why simply securing things is proving too complex is because older perimeter-based network defences are a thing of the past. We’re now mobile and more connected than ever, which just makes the question of who or what to trust far more difficult to answer. What if a device is trustworthy one day, then compromised the next? What if a sophisticated social engineering scam gets its hooks into your team?
Quite frankly, the frontline is down, we’re outflanked by threats from all sides, and it’s time to adopt defence in depth. Get out the war paint, spread your defences, and prepare to add Zero Trust to your arsenal: a new golden era is waiting once you’ve brushed away diminished perimeters.
Keeping Our Feet on the Ground
With Zero Trust demanding specific criteria to permit access devices and data, I can enjoy using the cloud without worrying that somebody will connect their device and turn my heating up to maximum, or tell my car to send me on a wild goose chase when I nip to the shops.
For organisations, the benefits are even greater. They can progress using the cloud with confidence, safe in the knowledge that each access request is being scrutinised in depth. It’s a relief to know we can enjoy the cloud and everything it has to offer, without leaving planet Earth and opening ourselves up to attacks.
If you’ve already invested in Microsoft Enterprise and Security (EM+S/M365 E3,E5) then you already have everything you need to achieve a Zero Trust network. If, however, you find yourself drowning under lots of different solutions that are costing a small fortune and spreading control over multiple portals, then it might be time to stop treading water and put your feet on the ground with Microsoft EM+S.
Basement Jaxx once questioned ‘Where’s your head at?’. Well, my head’s in the cloud – so is yours and eventually everybody else’s. Fortunately, that doesn’t have to be a bad thing.
If after reading this you feel you may have started to lose your footing, or you think you’ve regained control but you’re interested in what the Zero Trust model could do for you organisation, get in touch with our team to talk things through.
Will Lambert CISSP is the Pre/Post Sales Cyber Security Consultant for ZeroDayLab Ltd – they’re contactable here.