For many companies who have long had a reluctance to modernising their information security architecture, their hand is now being forced. Tech debt chickens are now coming home to roost, and they are rushing to upgrade their systems to handle the increase in remote traffic and unique devices now connecting.
In the cyber-security world, the old perimeter or walled model of putting a firewall around an internal network and regulating traffic is defunct, now that Ron from accounts is accessing his company systems using his sister’s dodgy malware riddled laptop connected to an old WEP router in a Brunswick coffee shop.
Zero-Trust Architecture is one security model which is oft-criticized as a “nice idea” in a perfect world but “not practical” or “too expensive" and "difficult to implement”.
For those unfamiliar, a zero-trust architecture gets rid of the concept of an “internal network” and a firewalled perimeter. The concept allows a user based anywhere to have full access to company assets, but only the bare minimum they need to perform their job.
Put simply, zero-trust architecture is enabled by using a user’s identity as the key security control, instead of complicated firewalls, remote access, network zones and troves of exceptions. Because access is controlled by identity, the potential impact of a breach is limited by the access a user has and is easier to trace.
This model is in many ways similar to how we as a society are approaching this pandemic, and the following outlines a few of the parallels between the two.
“Rᵒ” vs Attack Surface
As Ron has been explaining to you during the weekly Zoom catch up (after he watched a video he saw on Facebook) the Rᵒ value (pronounced R naught) in virology relates to the basic reproduction ratio or rate of the virus – how many other people will get sick if one person has the virus?
- For an Rᵒ > 1, we will see a spread of the virus throughout the population.
- For an Rᵒ < 1, the number of infected people will decrease faster than the fame of a reality TV show winner (bonus points if you can remember who Reece Mastin is…)
In a traditional perimeter-based security scenario, once an attacker has PWNED one user, the “Rᵒ” value is high, because the attacker now has the ability to exploit the large attack surface, which includes multiple internal vulnerabilities and typically a high or total degree of access within the “safe” network.
For example, most small to medium-sized companies have a centralized shared drive of information. This often contains client lists, user information, accounts, and financial data which is often secured incorrectly, or not at all.
In a zero-trust world, a user is only able to access that which they have explicitly been given permission to access, innately limiting the spread of the attacker throughout the company network. Attackers no longer have the opportunity to exploit internal vulnerabilities (you know, the ones that IT/management didn't prioritise patching for) and have far fewer opportunities to gain access to other user credentials or low-level system access.
Contact tracing / Digital Forensics
One of the key methods we utilize to defend our society in a pandemic is through testing and contact tracing. If we know who is infected, we can very quickly find out who else might also become sick and a risk to others, allowing us to implement social distancing and isolation measures, reducing the chance of transmission.
This is similar to how digital forensics is able to help us to limit the spread of an attacker throughout our systems. If we can identify how the system is compromised, and through which path they were able to access our systems, we can rapidly identify the actions the attacker has taken on the network and contain the damage.
Under the old perimeter access model, it can be a very difficult, expensive, and time-consuming task to identify and trace an attack that comes from inside the “safe” network:
- How do we find the compromised account (Patient Zero)?
- How long has the attacker been in our network (how long has Patient Zero been sick)?
- What actions have they taken during that time (who has Patient Zero been in contact with)?
It is often difficult and time-consuming to identify which account or device was initially compromised, when it was compromised, and then to see which actions have subsequently occurred on the system, particularly if the internal traffic is not logged accurately.
To further complicate matters, users often have access to multiple different accounts – an Active Directory account, DropBox Account, ServiceNow account, etc. When an attacker gains login details it can take time to disable all of these, slowing down the response time and increasing the chance for more damage (or viral transmission) to occur.
In a zero-trust model, the Identity of the user is tied to what they can access (the magic of federated identity and single sign-on), meaning we can easily identify Patient Zero and trace all actions under the compromised account to see what nefarious activity has occurred.
From this, we can easily see the totality of access that the compromised account has. This means we can shut down any other linked services immediately, allowing much faster response times and less chance of a secondary breach.
Much like test kits and lab services, digital forensics is expensive and can result in network downtime and lost productivity while the network is down, so there is a direct benefit to the business bottom line in reducing the need for services of this nature.
Operational Elasticity / Smart Authorisation on a day-to-day basis
Many of us have been adapting to working from home over the last few months. Working day-to-day in our pyjamas and hilarious selfies with animal “work colleagues” aside, businesses have been identifying new ways that they can operate with a workforce that is spread out and often working different hours.
Many businesses have found that an expensive centralized office is perhaps not as essential as once thought (I feel the recruitment industry is one of those).
Operational flexibility and adaptability is now king, and many of the same technologies that have allowed us to do this so effectively (Cloud Services, SAAS, Remote Access) are the exact same technologies that will allow us to move from a perimeter-based model to an Identity/zero-trust model.
In a zero-trust model, Identity becomes the key control, so the important factor is and getting that right and limiting what each user can access accordingly. You need a single source of truth, and you need strong (multi-factor) methodologies to confirm that the real person is using their digital identity.
Modern “smart authorisation” sign-on methods such as SSO, backed up by multi-factor authorisation, are already utilised effectively in many organisations to allow system access in this way.
Smart authorisation allows us to proactively identify strange login attempts, allowing us to catch attacks or compromised accounts before they propagate internally.
If Ron from accounts usually logs in from a Melbourne IP, between 8 am – 10 am each day, it is quite easy for the system to identify a strange log in an attempt from overseas at 2 am, and flag it as suspicious, requiring further authorisation factors and/or investigation.
This helps give internal cyber-security teams a head-start on preventing unauthorised access and limiting the potential damage. It would be like having a pandemic response specialist on call at the site of a viral outbreak, giving you advanced warning so you can nip it in the bud.
In a post-pandemic world...
All of the tools and systems needed to implement zero-trust architecture exist today, and many companies are already halfway there – they just don’t recognise what they have.
Similar to the tools which have been utilised so effectively to get us through this crisis, zero-trust architecture can be used to keep us secure and safe in a post-pandemic world.
Facilitating this model does not require a complete re-architecture of your infrastructure, it just requires modern security thinking, strong direction and policy from management, and iterative decisions to make it safer and easier for your staff to work anytime, anywhere.
You also need the right person leading the charge, so if you are seeking cyber-security professionals for your business, or just need some advice on your talent strategy, please drop me a message.