This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
Imagine two physical security scenarios.
In one scenario, you have an office building where people are vetted by a security guard before they enter. The guard assumes the person is trustworthy unless they do something bad or fail to follow the process—such as someone trying to break past the security barrier or having no identification. As a result, a variety of employees, vendors, and other guests continually gain access to this office building throughout the day.
In another scenario, you have an office building where people are vetted more thoroughly. Rigorous credentials (such as a special ID that is difficult to acquire) are required, biometrics are used as another factor of authentication, and strict protocols (such as an employee escort) are in place concerning vendors and guests entering the building. Security cameras are also monitored regularly to look for suspicious behavior—even watching people already inside.
The first scenario encapsulates many office buildings you may have entered with loose security. The second scenario probably brings to mind places such as the Pentagon, K-12 schools, or airplanes. When you want more safety, you must trust people less and verify more.
Trusting less and verifying more is the principle behind the cybersecurity concept of “zero trust.” Cybersecurity is evolving toward the point where we cannot rely alone on traditional cybersecurity tools such as firewalls, antivirus, and VPNs. In other words, we cannot assume that anything making it past a perimeter into your network is good.
While the concept of zero trust has matured over time and now heavily influences cybersecurity today, it’s also a complicated set of strategies, processes, and tools that even large organizations struggle to implement. However, that doesn’t mean you cannot take some steps toward zero trust that will help better secure your organization.
Here are five ways you can begin shifting toward a zero trust approach.
1. Use multi-factor authentication (MFA).
MFA is an easy way to increase the strength of your authentication processes, especially for devices and software that may exist outside of your network. For example, if you allow employees to work on their own personal devices or use cloud applications, then MFA adds an extra layer of login security by requiring another step such as inputting a code sent to an employee’s phone.
Today, many data breaches occur when a cyberattacker uses stolen employee credentials to get inside your network. MFA presents a barrier that makes it more difficult for a cyberattacker to use those credentials, and it’s also a way to better verify that employees are actually logging in.
2. Deploy application whitelisting.
Inspired by our second scenario in the introduction, application whitelisting works by not allowing an application to run on your network unless it has been given explicit permission to do so. This is a strict form of cybersecurity to ensure that only known applications can access your network.
With some application whitelisting tools, you can also set restrictions around what a permitted application can do. For example, you may decide that an application can perform its intended tasks but not connect to other applications or connect to the internet.
3. Restrict access to data based on roles and privileges.
The concept of “least privilege” must enter your vocabulary if you wish to enhance your cybersecurity. It’s not uncommon to find people with administrative access to servers when they don’t need it, customer service representatives with access to sensitive PII and health-related information that’s not required for them to do their job, or vendors with unnecessary access to sensitive and confidential information.
Instead, you need a more granular approach where information permissions can be set based on an employee’s or vendor’s role. Then, these people will only access the information they need to do their job.
4. Consider using Single Sign-On(SSO).
SSO can help your organization in many ways, all with the end result of better authenticating people who access your systems. With SSO, you can eliminate the need for multiple passwords across different applications, enforce a strong password policy in one place, and better monitor and manage who has access to your systems. As mentioned in the “least privilege” point above, SSO also allows you to set specific access controls per application. Again, this is another tool that helps strengthen authentication—a key aspect of zero trust security.
5. Better vet the identity of users and health of devices.
When a user attempts to log into an application or a device connects to your network, you need to vet these actions with a zero trust mentality. That means:
- Making sure a user’s profile and behavior makes sense: What if a trusted employee logs into your network but their profile data says they are currently located in Nigeria or Russia? Or what if an employee who works 9 to 5 is logging in at midnight and downloading sensitive documents for three hours? Traditional security might not flag these actions as problems, so you need to better verify the identity of a user based on additional clues such as location, time, and behavior.
- Ensuring a device follows existing policies, and blocking or limiting access if not: This is a very important reason why you need access and authorization policies. Without policies, you won’t know if a cyberattacker clearly violates them. If employees are required to comply with policies on their devices and an uncompliant device accesses your network, then that raises a red flag. From there, you can ban the device from connecting or restrict access to your network.
- Continuously monitor in case signals change. A cyberattacker may get inside your systems by looking legitimate and then switch tactics. You need tools that continuously monitor users and devices in case something changes, such as an IP address, type of device, or behavior. These tools should also include logging—which allows you to document who accesses your data and what they have done. Logging provides evidence that you can examine later that will help you analyze suspicious activity or a breach.
If you want to learn more about zero trust, check out NIST’s Special Publication 800-207. It covers zero trust basics, components of a zero trust architecture, and migration tips in more detail.