The cloud has changed the way we work, but it has also changed how we approach cybersecurity. Microsoft Security conducted a survey of more than 500 security professionals to understand the top concerns of chief information security officers (CISOs). Their responses won’t come as a surprise:
- 61% of security leaders believe the cloud is their organisation’s most vulnerable digital feature.
- 45% of security professionals identify email and collaboration tools as the aspect of their organisation most susceptible to attacks.
- Two-thirds argue that hybrid work has made their organisations less secure.
One thing is clear. More than ever, work takes place in hard-to-protect environments, beyond the traditional perimeter and across different platforms, cloud apps, personal devices, and home networks. It’s unsurprising that so many security leaders believe this has made their businesses and operating environments less secure.
What is particularly interesting is that in today’s security threat landscape, knowledge is power. Believing in cyber vulnerabilities is not a weakness. If anything, Microsoft’s studies reveal a large overlap between a developed security posture and an understanding of vulnerability. This understanding elevates security to a strategic business function and acknowledges the likelihood of a significant cyberattack. The goal is not to reduce attacks. Sophisticated cybercrimes will continue to plague organisations of all sizes. However, it is possible to significantly reduce impact of an attack.
This is where Zero Trust principles come in to play.
According to the Microsoft Digital Defense Report, organisations that embrace Zero Trust principles are able to restrict the extent of damage caused by cyberattacks. This is because Zero Trust makes it much harder for threat actors who have infiltrated a network to gain access to multiple mission-critical systems. They are less likely to travel across networks and locate valuable data to encrypt and exfiltrate.
How does this work? Zero Trust is essentially a security model and framework that operates on the principle of ‘never trust, always verify.’ This approach is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.
Traditional security models often operated under the assumption that everything inside an organization’s network perimeter should be trusted. Once you were in, you were in. This approach has become both outdated and risky, first because threats can often come from inside the network, but also because modern environments are increasingly hybrid and multi-cloud, extending beyond the traditional network perimeter.
Zero Trust addresses these challenges by essentially assuming that trust is a vulnerability. Here are some of its key principles and concepts:
- Verify explicitly: Always authenticate and authorise, regardless of where the access request comes from. This means that even if a user or system is inside the corporate network, they should not be automatically trusted.
- Least privilege access: Grant users and systems only the access they need, and nothing more. This limits the potential damage that can be done in the event that a user account or system is compromised.
- Microsegmentation: Divide the network into smaller, isolated segments. This way, if a breach occurs, the threat is contained to a small segment and can’t easily move laterally through the network.
- Multi-factor authentication (MFA): Use multiple methods to verify the identity of users, such as something they know (password), something they have (smartphone), and something they are (fingerprint).
- Use of analytics and AI: Employ analytics and artificial intelligence (AI) to monitor network traffic and user behaviour, so that abnormal behaviour can be detected and potentially malicious activity can be blocked.
- Continuous evaluation: Rather than just checking credentials at the point of entry, Zero Trust calls for continuous evaluation of the context and risk factors, and adjusting access controls accordingly.
- Data-centric security: Focus on protecting data itself through encryption and other means, not just the perimeter where data resides.
- Visibility and analytics: Centralise the monitoring of network traffic and user behaviour, and use advanced analytics to detect unusual patterns that might indicate a security threat.
Getting started on your Zero Trust journey
As most security leaders know, data breaches are no longer a matter of ‘if’, but ‘when’ and ‘how bad’. There is no better time to begin a Zero Trust journey than right now. This requires a holistic strategy that takes technology, procedures, and organisational culture into account. Start with a thorough understanding and mapping of your organisation’s environment to understand data flows, pinpoint critical assets, and identify the interplay between different elements of the organisational landscape.