Strategies for establishing a zero-trust approach

Aug. 27, 2021
At the core of zero trust lies the principle of never trust, always verify

With so many people working remotely and on holiday, it's no wonder that cybercriminal group REvil launched an attack over the 4th of July weekend. REvil's recent ransomware attack affected more than 1,000 companies in over 17 countries. Unfortunately, such attacks are becoming increasingly common, and as President Joe Biden recently opined, they can cause serious geopolitical conflicts, including wars.

Due to the Covid pandemic, there has been a widespread, global migration to remote work, and cyberattacks have been ramping up as a result. According to the 2021 Digital Readiness Survey, 83% of information technology professionals believe that remote workers have increased their corporation's security risk. Moreover, despite this increased security risk, only 56% of companies have adopted a security strategy for their remote employees. All of these elements are fusing to create an ideal climate for hackers and cybercriminals.

Cybersecurity is definitely top of mind for the Biden administration, as 18 new cybersecurity bills recently hit Capitol Hill, including the proposed Cyber Incident Notification Act, which if passed, would make it mandatory for federal agencies and contractors to disclose data breaches. These developments highlight how important it is for all organizations to take a zero-trust approach—especially in the age of remote work.

Rely on the Principle of Least Privilege

Given that employees are working outside of the office and using non-sanctioned devices more than ever, establishing a zero-trust framework is vital. Originally put forth by cybersecurity strategist John Kindervag, the zero-trust framework mandates that every user is only provided with the minimum level of access needed to complete his or her work. This includes everyone in an organization, even those in the upper echelons of management. After all, C-level executives' accounts are prized targets for hackers, malicious insiders, and other bad actors.

It is important to follow the "principle of the least privilege," which states that users should only be granted access to the fewest number of resources—and only for the absolute minimum amount of time. Often called "just-in-time access" or "just-enough-access," this principle of least privilege is a core component of Kindervag's framework.

Authenticate Users Based on Identity, Location, Device and Anomalies

At the core of zero trust lies the principle of "never trust, always verify.” Essentially, this means that IT personnel should always assume that there has been a breach.

Every single access request should be treated as though it has originated from an open, insecure network. Additionally, every request should be authenticated and authorized before access is granted, and all internal communication should be encrypted. All endpoints should be checked to ensure they are safe, and any anomalous behavior within the network should be flagged. There are tools that can help IT personnel achieve these tasks.

With identity and access management tools, including privileged account management and multi-factor authentication (MFA) tools, IT personnel can easily verify users' identities, locations, and the health of their devices. Additionally, a unified endpoint management (UEM) solution makes it easy to provide all devices with patches and other security updates, while also giving IT personnel quick remediation capabilities in the event of any identified threats or anomalous activity.

It is important to track anomalous user behavior in real-time. For example, if a user usually accesses a certain database on weekdays in the northeastern region of the United States, an access request from that user in Los Angeles should be flagged. Through the use of data analytics solutions, one can identify such anomalous activity, and identify a potential attack before it happens.

Without solutions that verify user identities, gauge the health of endpoints, and block access to certain devices in real-time, organizations can stay out of harm's way. When it comes to endpoints, it is important to identify shadow IT.

Be on the Lookout for Shadow IT

Due to the rapid increase in remote work, shadow IT—the use of devices, software, applications, and services not officially sanctioned by IT personnel—is on the rise.

According to the 2021 Digital Readiness Survey, 78% of companies across the globe reportedly failed to control the applications and services that their employees use.

Shadow IT seems to be a particularly large problem in the United Kingdom, where 45% of respondents said their employees had purchased their own online meeting tools; 38% acquired mobile-specific apps, and 36% downloaded productivity apps—all without direct approval from their IT department.

Monitor Your Corporate VPNs

Seeing as so many employees are currently working via remote access VPNs, it is important to engage in frequent, robust VPN monitoring. Secured through encryption, VPNs allow data to flow along protected paths or tunnels. In order to identify security threats, IT personnel should monitor these tunnels, blocking unwanted traffic, tracking bandwidth usage levels, and monitoring destination URLs.

It is important to monitor all of the VPN traffic in real-time, paying careful attention to the number of active VPN sessions, as well as the length of these sessions. One should also be sure to watch out for any failed user login attempts or anomalous behavior.

As an interesting aside, India seems to have a particularly good handle on VPN monitoring, as only 30% of the survey respondents reported having to learn about VPN usage in the aftermath of the COVID pandemic; this percentage was well below the global average of 35%.

Keep a Close Eye on Privileged Users

Privilege misuse is a top attack vector. It's important to engage in privileged session monitoring and be sure to pay particular attention to privileged user behavior analytics.

If you've had problems with a user in the past, consider privileged session recordings, which can be helpful in the event of a compliance audit. By overseeing privileged users' activities on remote servers, databases, and other critical systems, one can support compliance audits and also instantly terminate any session that looks suspicious.

Through the course of one's VPN monitoring activities, be sure to pay particular attention to privileged users' sessions; fetch VPN logs and generate traffic and security reports for all top executives. Such information not only proves helpful during an audit, but it also strengthens the company's security posture. After all, many organizations fail to adequately monitor privileged users, making such users ideal targets for cybercriminals.

Key Takeaways

The current migration to remote work highlights the need to have a data-based security focus, as opposed to a perimeter-based focus. It is vital that organizations embrace a zero-trust framework, including encrypting internal communications; limiting user access via the principle of least privilege; monitoring all corporate VPN activity, and engaging in real-time threat detection.

It is important to note that the prevalence of remote work does not appear to be dissipating any time soon. According to the aforementioned study, 96% of respondents said they are planning on supporting remote workers for at least the next two years.

Despite this, few companies are embracing the proper security posture, which is one of zero trust. For example, in North America, only 19% of companies adopted a zero-trust network in the aftermath of the pandemic. This is not prudent, especially when one considers that 52% of organizations across the globe have reported that phishing attacks increased due to the pandemic. In North America, these numbers were even higher, as a whopping 58% said phishing had increased as a result of the pandemic.

Lastly, 46% of North American respondents said endpoint network attacks (e.g., employee devices at home, edge devices) had increased, and 37% saw an increase in malware attacks. To be sure, all of these statistics underscore just how important it is to embrace zero trust architecture.

About the Author:

Rajesh Ganesan is the Vice President of Product at ManageEngine, a division of Zoho Corporation. He has over 20 years of experience in building enterprise IT products around security, access management, and service management. He spends as much time as possible interacting with thousands of customers around the world and is passionate about solving IT problems with a simple, yet effective, approach. He has built many successful products at ManageEngine, focusing on delivering enterprise IT management solutions as SaaS.