One basic mistake enterprises and organizations make is the premise that IT environments can be protected from malicious activities simply by making the perimeter bigger, stronger and more resilient. Also based on this premise and instead of a zero-trust, they go on to repose residual trust on employees without knowing that even 1% trust can hurt the system severely.
If you have not already given it a thought, you must realize that your organization is becoming more threatened by malicious software. With the rapid increase in digitalization, you increase the number of internet connections which raises the likelihood of being attacked.
If you somehow erroneously believe that you are not exposed to attacks or that you have not been attacked just like the ARC Advisory Group reported that 40% of companies surveyed stated that they have not experienced any cyber-incidents within the last 12 months, it’s very possible that you were simply were unable to identify all incidents in 2018.
If you make use of more intrusion detection solutions available globally today you will be able to expose more cyber incidents than were visible in the past. You may at the end come to the conclusion that you have been unwittingly leaving your self exposed to internally generated attacks.
Possibly, you have been employing little or no anomaly detection to detect dangerous or suspicious network traffic. You may have to come to the right conclusion that a 1% trust shouldn’t be allowed.
To be on the safe side, you need to apply the zero-trust strategy. You must assume that all users in the organization, devices, and transactions have already been compromised, without minding if they’re inside or outside of the firewall.
This perspective drives a new strategy for network security architecture. Going by the ARC survey, it was discovered that a company’s own workers pose a security threat.
Some of their actions carried out unintentionally can lead to the disruption of your operational technology/industrial control systems (OT/ICS) automation. This was found out to partly be a result of a lack of awareness, especially in the area of new digital OT automation systems.
Any time you don’t allow a 1% trust, you have effectively been able to withhold access until all users, devices or even an individual packet has been thoroughly inspected and authenticated. Even when this is done, you must ensure also that only the least amount of necessary access is granted.
It may be a whole ball game altogether to achieve a zero-trust architecture, however, the inherent benefits do surpass those grey areas you may be thinking about. Apart from the technical complexities required, you must allow room for a comprehensive cultural shift within IT and beyond.
You may want to be comfortable with the fact that you have been able to hide all your digital assets behind a firewall and bastion network, but what about authorized users and attackers who use dial-up connections and firewall exceptions to bypass the perimeter protection? This is more so since you have deemed it fit to allow your employees, customers, contractors, vendors and other trusted third parties to access network resources through the cloud, BYOD devices, and other means.
The fact that you are leaving room for some amount of trust will not ensure that your defenders embark on revalidation each time access is requested which a zero-trust will have taken care of. Hence, you are unknowingly at the mercy of the threat from insiders that you have granted more access than required and from employees whose access you didn’t change even when it was absolutely necessary since you have changed their job responsibilities.
On the other hand, a zero-trust strategy would have ensured that you are protected even after carrying updates to affiliations with contractors or other third parties and from devices or applications that should be revalidated every time they request access.
The residual trust you have allowed breeds more danger to your network security as attackers find more vectors to exploit. If it’s a zero-trust, however, the trust that is granted to users or systems that access restricted resources from within the perimeter of your organization or the access granted to external users for specific systems that may have been removed will be checked.
A 1% trust gives room for the exploitation of those vectors but a zero-trust completely removes them. You will discover also that you don’t have any form of resilience to ongoing attacks.
You have effectively negated the overriding principle behind the zero-trust strategy which by default is to deny access. Nothing checkmates attackers who do manage to find a way into the enterprise network, they find it very easy to utilize their access by pivoting once inside.
Since your 1% trust is directed to your employees you will assume nothing can go wrong but you have conveniently forgotten that you have indirectly increased your attack points. Going on to designate users as being internal or external is increasingly meaningless.
Once an external source is able to latch on to your internal source, the damage is done. Their successes in gaining unprivileged access to an internal system in order to pivot to juicier targets mean that an internal threat may just be an extension of an external one.
If you have a zero-trust strategy working in your organization, it means you have effectively started treating all potential threats the same way. You don’t have any cause to differentiate between the two types of threat and you have saved yourself a whole lot of catastrophe.
A zero-trust strategy works but just as was the case for firewalls once, you shouldn’t take it to be an end goal for security. You must continue to be vigilant inasmuch as attackers are still dedicated to developing ways of exploiting or bypassing security solutions.