By Henry Silcock, Founder, Two Rabbits Advisors
WHY?
Deploying effective cybersecurity measures for your business today is a continuous, ongoing battle with cybercriminals; and cybercriminals, like conventional terrorists, have a built-in advantage. It’s asymmetric warfare – just as it only takes one suicide bomber to breach a physical perimeter, it only takes one response to a phishing email to get past conventional “perimeter-based” IT protections, and thereafter it becomes easy to roam through target networks and extract sensitive data.
The Zero Trust Architecture (ZTA) approach is a new paradigm for cybersecurity which will help address these problems, making cyberattacks more difficult and minimizing damage when a breach does occur. ZTA also helps address recent trends in enterprise networks, such as remote users, BYOD and cloud-based assets. Careful implementation of ZTA principles can allow your business to adopt an effective, proactive approach to cybersecurity rather than reacting only when problems arise.
WHAT?
What is ZTA exactly? Unfortunately, opinions differ, and there are many attempts to define it, including the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-207. Details may vary, but they all try to address the limitations of the legacy perimeter-based approach, which assumes that only authorized users have access to the corporate network, and that one-time user authentication and access permissions are sufficient to protect sensitive data. By contrast, ZTA assumes that a network breach has already occurred, and seeks to limit the damage caused by the breach. This is the “Trust No One, Verify Everything” approach. All users, devices, and applications are potential threats – every user, device and network request is treated as potentially malicious and must be verified before accessing sensitive data or systems.
Some elements of the approach are outlined below, and many vendors offer a range of network equipment and software tools to address various aspects of ZTA. Effective cybersecurity is not cheap – however, note that these technical tools are necessary but not sufficient – employee awareness, training and commitment are just as vital to the success of any cybersecurity plan.
HOW?
The most important technical capabilities and tools needed for ZTA are strong identity and access management (IAM), network architecture micro-segmentation to isolate different parts of the network, continuous monitoring and threat detection.
For IAM, a basic step is to implement multi-factor authentication (MFA) to identify authorized users. Most definitions of ZTA also require implementing the “Least Privilege” principle, similar to the “need-to-know” requirement used in controlling classified information – all users should have the access permissions needed to do their job, and no more! Role-Based Access Control (RBAC) can be used to assign every user a predefined role and restrict them to the access permissions allowed for that role. Privileged accounts need to be closely controlled and audited.
Devices accessing the network also need to be authenticated and validated, including checking configurations and compliance with cybersecurity requirements. In particular BYOD access to corporate networks (and corporate e-mail) should be rigorously controlled.
Micro-segmentation is the process of dividing an enterprise network into smaller, isolated segments to minimize the risk of lateral movement in the event of a security breach. Use network switches and routers that support VLANs or software-defined networking (SDN) technologies that enable the creation of virtual networks.
To implement continuous monitoring and threat detection, deploy security information and event management (SIEM) tools (either cloud-based or server-based), endpoint detection and response (EDR) solutions, and intrusion detection systems (IDS) to detect and respond to threats in real-time.
Employee awareness and commitment remain critical, so conduct regular cybersecurity training sessions to educate employees about best practices, phishing scams, and the importance of password hygiene. Ensure you have an adequate backup regime (online and offline) to restore critical data after a breach or ransomware attack.
For SMBs with limited resources, ZTA can be implemented in phases, focusing on critical assets first. Open-source software tools may also be an option. Larger businesses or those with a larger cybersecurity budget should consider additional actions, including collaboration with industry-specific Information Security and Analysis Centers (ISACs), and third-party certification to industry standards (such as CIS, SCF or ISO/IEC 27001). All businesses should develop an Incident Response Plan and designate an Incident Response Team (or person!) to define and control what happens after a breach is detected.
One further consideration for larger enterprises is to assess cybersecurity efforts in the broader context of corporate governance. Your business may already be required to comply with other data security requirements, such as:
- General Data Protection Regulation (GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- (In California) – California Consumer Privacy Act (CCPA)
- (In New York) – New York Department of Financial Services (NYDFS) regulations
If so, you should review the specific requirements of these regulations and ensure that your ZTA plans are consistent with them.
WHAT NEXT?
Don’t panic – moving to ZTA is a major undertaking, but the rewards will outweigh the challenges. ZTA will let businesses stay one step ahead of the cybercriminals by proactively identifying and mitigating risks. The key is to foster a culture of cybersecurity awareness and resilience throughout the organization. By inspiring employees to embrace best practices, promoting continuous learning, and investing in robust cybersecurity solutions, business executives can lead the charge in safeguarding valuable assets and maintaining the trust of their customers and partners.
About The Author, Two Rabbits Advisors
TwoRabbits Advisors was founded by Henry Silcock, a veteran defense industry executive, former CTO of two high-tech small businesses, and currently a member of the Ithaca College (NY) Cybersecurity Advisory Board.
TwoRabbits specializes in strategic thinking for small businesses and provides consulting services for systems development, business and project planning, corporate due diligence and cybersecurity. We focus on specialized information security and support for regulatory compliance.