Summary from Okta Digital Boardroom - Tuesday 29th September 2020
While the idea of Zero Trust is not a new concept it has not been fully explored and adapted by a large number of organisations and those who are in the process of doing so are at different stages of their journey, some just beginning to discuss and get the foundations in place, while others have spent years trying to perfect the process.
There is still so much unknown and little discussed or written about Zero Trust, and so in general what people working on it are keen to hear about are instances where it was carried out correctly and how it works now, times when things have failed so people can learn not to make the same mistakes and know what to look out for or learn to implement into their own plans.
We used to architect networks fundamentally different focusing on a core outer shell for our network. You had the internet, a firewall internally and externally and various web and database servers. And this worked for a while as a computer could not physically connect our network unless we allowed them to plug in and if you were in, you were inherently trusted.
Back then, all it would have taken to bring that down was one bad actor. For years the focus was physically getting past receptionists to plug into networks.Then when Wi-Fi was created, this became easier as they often weren’t secured properly and so all people had to do was sit in the car park and try to access the Wi-Fi.
The password we will use to get into a network will be the same password we will have used 200 times to log in to a coffee shop. If the coffee shop’s Wi-Fi is compromised, that puts your company’s security at risk as your personal information can be taken, used and sold. And this is a very common practice today as scary as it sounds. They won’t target anyone specifically, but they will try their luck anywhere that could result in a gain for them.
Twenty years ago, you never would have expected to move your most important data and documents out of your firewall protection and into the cloud, but that is what has happened, however we are starting to accept that sometimes people can do some things better than us.
Then the introduction of the smartphone showed that technology can be easy, attractive and something you want to use. However, there are still things that smartphones cannot do. There are things you can apply, but they drain your battery life, and so having APIs on top of apps on top of devices has made things much harder to secure and much more complex.
We have APIs and apps consumed on devices that we don’t trust, developers we don’t always trust, posted on systems we don’t trust, run by other departments that we don’t necessarily trust, on servers we don’t control and we are still expected to get the job done. And if something does get hacked, often the blame is placed on the wrong people. We need to acknowledge that the ‘perimeter’ is gone and it will not come back at the same level again. This as a concept can be quite challenging to people. It’s been the case for a long time, but we don’t like to admit it.
Another issue is that all your groups: employees, customers, partners, contractors etc., all start to look quite similar and there isn’t a standard set of rules you can apply and there are known and unknown risks. So it all boils down to, ironically, trust: how do you think about it, revoke it, measure it etc. The consequences of getting this wrong are huge, but getting it right can bring huge benefits as well.
There are four pillars to consider in terms of how to adapt to this:
- Context is key- what credentials do they have? Look at their past behaviour, use common sense and themes around login habits, devices and locations and utilise third party data and applications to track activity, especially with the rise of bots which can be harder to spot
- Having an open platform for your security to learn context and understanding within your business via webhooks
- Connectivity- no one vendor, technology or stack connects it all together. By having open standards and protocols, attacks can be identified before they happen and trust can be earned back after an issue
- The Network effect- when one of us is being attacked, how many attacks occurred nearby before they tried attacking you? Through effectively a ‘neighbourhood watch’ scheme, we can identify trends and protect each other before things happen
We can adapt and change our security posture as over time things do change and we need to react. If things go wrong, we can grant and revoke trust and be proactive rather than be reactive, protecting our customers and staff before there is a threat, as there will always be a threat.
Where are you on your Zero Trust journey? What do you see as your next step?
Most organisations will be in different stages of their journey but the questions and concerns most will have around what comes next and what to look out for will be the same. A major concern, drawing on the pillar that context is key, is understanding the right context to use in the case of global companies with employees who could be working around the clock. And while being able to lock people out is easy, locking out the wrong people can be problematic.
It is important then to understand the business fully in all aspects to be able to refine your rules and policies to suit different departments, locations, those working in different time zone at unsociable hours and learn when it is appropriate or necessary to use privilege access management or measures such as MFA the right amount for security but not so much to alienate your employees, especially senior executives.
Obviously, while the COVID-19 outbreak is ongoing and people continue to work remotely, security is a key issue as employees work remotely outside the company bubble. And while some Zero Trust measures may be in place to help secure home networks through VPNs, keeping track and monitoring employee behaviour can help develop user groups rules/location based policies and help ensure the correct resources are available at the appropriate times to be able to react to potential issues.
With regards to changing or updating current apps, these can be broken up into three groups: the easily replaceable apps, the copy and paste to the cloud apps, and the old and obsolete apps. It is believed that on average an organisation will only use between 5-15 apps on a regular basis. Therefore these are clearly these are the ones to focus on regardless of work involved, while also being mindful of the quick wins to boost morale and productivity.