During this climate of increased cybercrime, the adoption of a Zero Trust mindset can enable companies to become more vigilant and ensure stronger data security.
It’s no surprise that cyber hackers have been taking advantage of the COVID-19 crisis. In fact, researchers from Sentinel Labs found that phishing, ransomware and APT attacks that are even more sophisticated now than pre-pandemic. Insider threats are also evolving. Stolen credentials are available on the Dark Web which open access to enterprises networks, and insider-trading-as-a-service sites encourage insiders to share trading information for a reward.
In these conditions, SMBs more than ever need to minimize insider and outsider risks to avoid costly data breaches that may lead to business closure.
What’s Zero Trust? Zero Trust is a security approach where organizations don’t automatically trust anything that’s inside or outside the network perimeter and instead reliably verify that they know who is requesting access and whether they are authorized to access this particular asset (data, application, etc.) before granting access. And according to recent research by Okta, the number of North American companies in 2020 that have or plan to have a defined Zero Trust initiative has increased by 275% compared to 2019.
However, implementation of these principles may be challenging for the SMB. Tight budgets, lack of human resources to manage Zero Trust transformation and pushback from various teams, including IT, may stand in the way. To avoid loss of productivity and other issues associated with Zero Trust, SMBs need to evaluate potential risks, decide which results they plan to achieve with this approach and choose appropriate measures to fit Zero Trust into their IT environment.
Consider the following steps to ensure a smooth implementation of a Zero Trust model to overcome the risk of cybersecurity threats.
1. Conduct Asset Inventory. First, identify all the assets that your SMB has, including tangible assets (e.g., devices) and intangible (e.g., apps, systems and data). Ideally, you need to 1) make a document that would outline all types of assets, who is using them and for what purposes and 2) establish a process to keep the document up to date.
2. Identify Risks and Security Gaps. Analyze your security posture to identify threats that could jeopardize your tangible and intangible assets. Start building a risk assessment matrix and specify whether the risks have an impact on data confidentiality, integrity or availability. Pay attention not only to internal and external risks, but also to security gaps that could make you more vulnerable (e.g. external data sharing settings or excessive permissions). This will help you better understand the potential threats to your business and later choose appropriate measures to mitigate these threats.
3. Evaluate Probability of Risks and Potential Consequences. Put the information about your risks together and start evaluating them. You will need to develop a matrix, where you specify the probability of risks (high, medium or low), potential consequences and costs. This will help you differentiate the most critical risks from less critical and decide what you will do with them – mitigate, delegate, or accept.
4. Choose Zero Trust Elements to Implement. Finally, use the information from your risk assessment matrix to build a Zero Trust model according to your business needs. If you are short of resources, choose the most critical risks and implement measures to mitigate these risks. Here are the key areas of Zero Trust that will likely need your attention:
- Identity Trust. This area includes both users and machines/service accounts. In terms of users, you need to implement more secure authentication methods and verify whether your users are worth trusting. You can do this by implementing multi-factor authentication, auditing data access and regularly reviewing permissions to make sure that users have bare minimum of privileges to do their job. You also need to conduct regular risk assessment to identify insufficiently protected assets and decide which policy settings, permissions or security practices you need to adjust to reduce risks. As to non-human accounts (services, applications, machines, devices), if they are on your network, they cannot be trusted by default. Just like users, systems and applications should use dedicated accounts that can be verified each time a specific process is accessing your assets. Any abnormal use of such account would be a likely indicator of a security breach and should trigger an alert.
- Data Trust. The main task here is to understand what data you have, and which assets are most critical for your business. Automated data classification is a solution that will enable you to label your data according to its sensitivity and decide which information needs the most protection. It is also critical to enable strong data access governance across data repositories and keep permissions up to date to ensure that only eligible users have access to sensitive data.
- Transport Trust. Here, you need to keep control over network traffic and make sure that your users and systems have access only to those resources that are specifically required to perform the task at hand. Technologies that help implement this least-privilege access include network segmentation, transport encryption and session protection. Network device security is also very important here. You need to monitor device performance and audit activities around each device (e.g., VPN logon attempts) to detect suspicious changes that may degrade network performance or result in a data breach.
What about the cloud?
SMB’s that are just starting today or are moving to the cloud can make Zero Trust a part of their planning for the new cloud environment. In a sense, software-as-a-service (SaaS) applications require authentication every time a user is accessing them, which makes the transition simpler. You still need to take care of the data and access permissions. As the company grows and requires more complex IaaS or PaaS systems for custom apps, make sure you understand the security features available from your cloud service provider and apply them with Zero Trust approach in mind.
Conclusion
Once you’ve taken these four key steps, test the model before deployment. Choose one or two IT systems, implement security measures, and see whether Zero Trust fits into your IT environment. This process might take you at least several months, but the time is worth the investment. By properly deploying a Zero Trust model, your business will realize exponentially elevated security protection that will last long after the pandemic is gone. However, you should keep in mind that zero trust is not a silver bullet. In fact, it regulates one of the security layers, therefore, knowing what data you have, where it is stored, what users (even authorized ones) can access it and how they handle it remains on critical importance.
Ilia Sotnikov is an accomplished expert in cybersecurity and IT management. He is Vice President of User Experience & Security Strategist at Netwrix, a cybersecurity vendor that makes data security easy. Netwrix is based in Irvine, Calif. He has over 15 years of experience in IT management software market. Prior to joining Netwrix in 2013, he was managing SharePoint solutions at Quest Software (later acquired by Dell).
Zero trust stock photo by Olivier Le Moal/Shutterstock
