How enterprises are securing themselves with zero trust
You've heard it before, but it bears repeating: COVID-19 changed everything, and the quick shift from the office to working from home introduced new types of security threats that are spreading to exploit the pandemic.
We are more interconnected than ever. It's time to explore zero trust, an approach to identity and access management that assumes no user or software is trusted by default. That was the message of cybersecurity experts speaking during a recent webinar, The Element of Protection, sponsored by Hewlett Packard Enterprise.
Social engineering is the attack method of choice. According to Tyler Cohen Wood, former senior intelligence officer for the U.S. Department of Defense, one example is targeting employees' children who are attending school remotely by sending them something to download.
To combat this, organizations—and parents—need to step up their cybersecurity awareness training "and make sure we're doing things to protect ourselves as individuals, our family, our business, our company, and our nation." A lot of that involves separating your work environment from your home environment.
In essence, families have become another endpoint on the perimeter that we need to protect for our business, noted moderator Clint Watts, a distinguished research fellow at the Foreign Policy Research Institute and a former FBI special agent.
The everyday impact these threats have on businesses is enormous, observed Salvatore Stolfo, a computer science professor at Columbia University. Anyone with a mail client only has to look at their spam folder to see the number of social engineering attacks coming in.
Large enterprises focus on protecting employees from phishing attempts, Stolfo said. Still, they may not be aware that their corporate presence—their brand, web pages, and websites—are being cloned by phishers to scam the general population leveraging well-known brands.
"Cybercrime of this nature has now eclipsed the international drug trade," Stolfo said, referring to social engineering techniques that use well-known sites and domains. "Phishers have created infrastructure that allows them to stand up corporate cloned websites almost instantly," netting credentials and the ability to steal digital identities.
Stolfo said once authorities or pharmaceutical companies announce a COVID vaccine, he's confident there will be "a huge number of websites conducting fraud to convince people they can get the vaccine for low cost or get [it] first online."
Implementing a zero-trust approach to implementing a strategy
At every turn, attackers look to take advantage of our dependence on technology, as evidenced by the rise in ransomware attacks and intellectual property theft. Companies need to get in front of that. They must understand what assets they have and what the attackers' capabilities are and be proactive in putting protections around critical assets, said Drew Simonis, vice president and deputy chief information security officer at HPE.
Simonis acknowledged that employees need to support a culture of increased security, although that takes time and effort.
People, systems, and software are now all over the world and interconnected. Moving from the edge to the cloud has become more prevalent, especially during the pandemic. Still, the concept of having defined boundaries around people, locations, and systems "is completely broken," said Sunil James, a senior director at HPE.
"We have to allow for the fact that people and systems can move," he said.
COVID is an opportunity for people to reconsider how to architect their systems in a world where physical location cannot be taken for granted, James said. To keep up with this dynamism, organizations must consider adopting a model of zero trust.
More than a buzzword
Keith Townsend, principal of CTO Advisor, said when the pandemic hit, companies had employees take their desktops off their desks to take them home "because they weren't prepared for the new reality of these crushed walls."
But organizations did not know whether the person or machine connecting to the corporate network was their employee, Townsend said.
Zero trust can be somewhat of a marketing buzzword. Still, companies have to be very careful about what they say about it, said Jon Green, vice president and chief security technologist at Aruba, an HPE company.
The idea of zero trust says "your position on a participating network or network segment should not convey any special access rights to a piece of data or app or a service," he explained. In the past, perimeters and firewalls were considered adequate to protect data from outside threats. But now, there are bad guys on the inside of the network.
Assume a posture that the network has already been breached, Green advised. That means strong authentication is needed at the application and service levels for people and devices, even if they are already established on the network.
Yet not everything on the network will participate in a zero-trust framework, he noted, citing the number and nature of Internet of Things (IoT) devices. As an example, Green says, "people are connecting vending machines to the network."
Zero trust is not just a tech solution but a new way to approach a security architecture, added Simon Leech, senior advisor for security and risk management at HPE. If done well, "it also becomes an incredible business enabler," he said.
When implementing a zero-trust strategy, Leech recommended organizations first think about their business objectives over the next couple of years and how a zero-trust strategy can secure it. That will reveal some areas where quick wins can be had, he said.
Customer experiences with zero trust
The importance of continually educating employees, working with trusted partners, and ensuring organizations are using the latest security products were themes HPE customers discussed with Bob Moore, director of server software and security products at HPE.
"The challenge of asset management in a cloud environment is that assets are nowhere near as static as they used to be," said Toby Kohlenberg, security staff engineer at Dropbox.
But even with the rise of social engineering techniques during the pandemic, "the fundamental threats have not changed," he said. There may be less physical targeting of employees in the workplace, but now they're being targeted in a "virtual-first environment."
Kohlenberg said he and fellow speaker Andrew Bleil, a lead corporate engineer at Dropbox, "prefer the phrase granular trust or dynamic trust rather than zero trust," which implies stripping out access.
The customers also spoke about how to educate their employees on security best practices. "Being worthy of trust is foundational at Dropbox," he said. Training and refreshes are ongoing at the company, especially during the company's "Trustober."
Texas Children's Hospital does monthly simulation exercises to train staff on malicious emails, business email compromise, and phishing, said Teresa Tonthat, CISO at the hospital, which is also enforcing requirements for annual training.
Identity management has become a problem with so many people now working from home, said Townsend. But there is some good news: Users understand the need for passwords and security a lot more than before. While zero trust is the goal, "the No. 1 challenge across industries is user education" as organizations struggle with identity management tools, he said.
HPE is working to deliver a continuous platform of data from creation through processing—wherever it may physically be—and securing it all along the way, said James.
In terms of the human component, security has to be part of an organization's culture or it will fail, said Townsend. Training in broad principles of security is essential but so is job-specific training, he said.
Organizations should also introduce a security-by-design mentality, Townsend added. That means inviting security teams to the table whenever a project kicks off and taking the stance that security is no longer optional.
Security should be made as easy as possible, and it needs to be emphasized from the top down, he said. If employees are involved, they will care.
The promise of SASE
Secure Access Service Edge (SASE) is a promising area of tech growth, said Green. The idea is users are everywhere and services may be as well. As such, the old model of services residing in a corporate data center has gone away in favor of a hybrid cloud, he said.
Now, any of those services can be provided from anywhere, so SASE is about making services in the cloud follow a user anywhere, he said.
HPE and Gartner disagree about the definition of SASE, Green noted. Gartner "would like to see networking and security built into one service," while HPE takes the position that networking vendors should do what they do and let security vendors do security, he said.
Keith said he also believes in the idea that network and security should be two separate strategies. The SASE world will get people to use lambda functions, which is a modern way to write applications, he said.
In summation, James reiterated that all of this infrastructure is designed to work with end users, who are generating huge amounts of information. The goal is to be able to derive insights from them.
"We think that the idea of control around data is going to go through an evolution," James said. The ability to provide granular control of data will be a new surface area of opportunity for hackers to exploit—but it will continue to be defended as well.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.