26 August 2021
Zero trust: Because no one is safe from attacks
What do the Danish government, EasyJet, and Experion South Africa have in common? Combined, they exposed the data of tens of millions of citizens and customers this past year, says Michael Bird, host of this episode of Technology Untangled.
And that's just a sample when it comes to the number of data compromises organisations big and small have suffered as attackers increasingly up their game. As Simon Wilson, CTO at Aruba, a Hewlett Packard Enterprise company, puts it, "If you've built a 10-meter wall, they're going to build a 12-meter ladder. It's an arms race—there's no question about it."
The answer for a growing number of IT organisations? Implement zero trust, which means, in simple terms, treating all users and activity on the corporate network as hostile and therefore untrustworthy until proven otherwise, explains Chris Dando, a chief technologist at HPE.
While some view the measure as excessive, Josephine Wolff, assistant professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University, cites the recent SolarWinds hack to illustrate why organisations might want to consider moving to a zero trust model.
Compromised—by a trusted vendor
In the SolarWinds incident, hackers compromised the vendor's security software, and unaware that the breach had occurred, SolarWinds provided its customers with updates to the software that included a back door into their systems. Systems affected included Microsoft, the U.S. Department of Homeland Security, and other highly sensitive networks.
As Wolff explains, "Once the adversaries had gotten into some of those organisations' computer networks, they then started trying to root around and find ways they could get into other organisations." And down the supply chain the hack went.
Under zero trust, the update wouldn't have been installed until it was fully vetted within the zero trust framework—even when it was coming from a trusted vendor.
Why zero trust?
In the early days of networking, users were granted access to systems based on location, Wilson explains. So, for instance, "if I was in the finance department, I'd be given the same level of trust as a finance user," he says. Today, users are highly mobile, with many companies now employing so-called hot desking, whereby employees don't have a permanent location but share various desks with others when in the office.
"If there is no finance department anymore, because it's a hot desk environment, then we need to establish who people are at the time they connect, rather than just because they're in a part of the building," Wilson says.
To establish a zero trust model, companies first need to determine how granular they want their rules for access to be, Wilson says. Will they vary depending on whether workers are using iPhones vs. iPads, home networks vs. wireless phone networks, one operating system vs. another? Then, companies need a policy engine to implement the rules, along with mechanisms for enforcing the rules and monitoring access, he explains.
Dangers in the hardware supply chain
The pandemic-driven increase in remote work presents additional challenges, however—particularly in relation to the hardware supply chain, Dando cautions. With workers now using a wide range of devices and technologies to connect to networks, both in and out of company facilities, the attack surface has expanded significantly, the experts say.
"If we're implementing more new technologies into the enterprise marketplace from organisations that maybe we didn't have a long-term relationship with, we need to secure those in a different way," Dando says, noting companies should approach these technologies "from a perspective of not actually trusting [the] supply chain, even though they're all reputable companies."
He adds, "Quite a lot of zero trust is about actually monitoring and understanding the normal behaviour of devices and then understanding if it changes."