Zero to hero: save your org from cyber-attack with a zero trust model
(Last updated on January 24, 2022)
Zero trust mentality: sounds kinda harsh, doesn’t it? Here at Specops it doesn’t mean we can’t trust our colleagues not to eat our yogurt out of the office fridge, but it does mean we lock our computers before leaving them unattended–yes, even at home.
What does zero trust mean?
Specops product specialist Clay Kirkland describes zero trust as, “Verify, then trust.”
The idea of a zero trust principle guiding your cyber security means that there’s no room for human error. It’s a defensive mechanism intended to eliminate implicit trust and instead validate at every stage of digital interaction. This way, there’s never any confusion as to the identity of your end users whether digital, over the phone, or even in person. It may seem extreme, but it can save your organization from a dire cyber-attack, or from a hack becoming way more destructive than you’d hope.
This principle has practical elements that come together to support the idea that nothing is assumed, and everything is verified. A few technological pieces include practices you may already have in place in your organization, like passwords, multi-factor authentication, helpdesk verification, and more.
It’s like when you’re talking to the bank on the phone and even though you’re calling from your known cell number they’re still asking your father’s middle name and the last four of your social—all these extra precautions support a zero trust security model and ultimately prevent cyber-attack.
The 3 principles of a zero trust security model
There are three main principles of a zero trust infrastructure in your cyber security toolbelt that help explain the application of zero trust in your IT organizational makeup.
- Verify explicitly
Verification can be tricky, and when it comes to zero trust it’s best to leave it up to the robots. This helps take onus off the helpdesk staff by refusing to use any verification method that’s not explicitly automated. The idea behind this principle is that there’s zero room for error, manipulation, or impersonation.
The most common implementation of explicit verification is multi-factor authentication. Using MFA to verify your users may seem like a pain, but in a few simple clicks they can be verified, and everyone can breathe easier knowing the access is more secure.
2. Default to the least-privileged accesses
While it may ruffle a few feathers defaulting to the least possible access is an important part of your zero trust implementation. Curiosity, or even a higher title, doesn’t mean there’s a valid reason to grant someone full insights into assets like data, archives, or financials (to name a few).
Each user should get only the privileges needed to complete their job, commonly referred to as just-in-time and just-enough-access (JIT/JEA). It’s not as extreme as it sounds as most users won’t even know what they’re not seeing.
The idea here is that if there were a breach the information available to a hacker is limited. Also, it takes some level of responsibility off your end users since they’re keeping a smaller volume of detail confidential. Think of it like a security clearance in government, your organization should be structured in a way that keeps the most secure accesses at the highest level of clearance only.
Don’t forget: this includes IT staff—if you don’t need the information to do your job it shouldn’t be within reach. Most organizations differentiate first-level service desk agents from network admins
3. Assume there is a breach
This principle can be tough to communicate within your organization but it essentially means treating every day as if there is an active hacker in your directory. This can start with the least-privileged access principle to minimize damage of a breach thanks to the segmented accesses you’ve put in place.
Assuming there is an active breach at any point also encompasses the need to verify end-to-end encryption and use analytics to monitor threats and proactively update your defensive efforts. Your IT department should feel like an anti-terrorism unit, with network surveillance and preparedness at the forefront of your day.
The practical implementation areas of a zero trust policy
User authentication is a large part of identity security, MFA is vital to a solid zero trust implementation and helpdesk security can help with an additional layer of protection. Identification-reliant attacks are the backbone of social engineering which accounts for 98% of all cyber crime.
It’s also important not to forget about the safety of your hardware, here’s a bit more from Sepio Systems on making sure your hardware network isn’t tanking your cyber security efforts.
- 3rd party relationships
It’s important to know exactly who you’re doing business with. When contracting vendors, vetting customers, and even hiring, be sure to investigate any shadow IT, double-check permissions, and gate accesses.
Fully vet your vendors for potential risk and don’t be afraid to ask the hard questions, if there’s nothing to hide it shouldn’t be an issue to answer.
- In your data
Make sure your data is mapped out with access in mind. Ask the hard questions of your stakeholders like who needs this information and why. From there ensure your data is categorized and use access restrictions for sensitive information.
Be sure to identify weak spots in the flow of data and work to implement end-to-end encryption in the three main stages, at rest, in transit, and in use.
- Your whole infrastructure
You should have a pulse on the entirety of your infrastructure to automatically block and flag risky behaviors detected. This can start with the practical implementation of defaulting to least privileged accesses but extends to every facet of your organization—routers and other hardware, cloud, IoT, and supply chains.
Securing the endpoints within your infrastructure are a huge part of data security. Implementing stopgaps at endpoints can stop an attack from escalating further. Here’s a great piece on endpoint security from Palo Alto Networks.
Zero Trust at the service desk
One of the easiest ways to begin your restructuring into a zero trust model is at the helpdesk. End users call the service desk for lots of IT issues but those that are the highest risk for your organization are ones that involve granting access – like password resets and resolving locked accounts. If your organization isn’t implementing zero trust at the service desk, your org is at risk of a social engineering attack.
An organization’s security is ultimately in the hands of the users and IT staff. Software such as Specops Secure Service Desk can help to make sure that users and helpdesk technicians are complying with the organization’s zero trust security requirements and take the guesswork out of end-user verification by employing automated MFA requirements.
Using software to help implement zero trust principles takes the onus off the IT helpdesk for seeming suspicious of end-users—we can all just blame the protocols for the extra hoops to jump through. Employing software to make helpdesk verification part of your security infrastructure also beefs up data collection around helpdesk calls, cuts down on human error, and shows interested partners you’re serious about cyber security. Here’s the latest from the Specops blog on what can happen when your service desk isn’t secured.