Why extending the breadth of zero trust can improve IT security
The concept of taking a “zero trust” approach to IT security has been around for more than a decade, yet it’s taken a viral pandemic to get many Australian law firms to take it seriously, writes Jim Cook.
IT teams faced with the challenge of providing large numbers of home-based workers with access to both on-premise resources and cloud platforms are coming to realise that zero trust can deliver value. It can provide the level of protection required while also allowing adequate performance so staff can get their jobs done.
At its heart, a zero-trust architecture (ZTA) relates to the idea that users should have only the bare minimum of access they need to perform their role. They should not have access to areas of the network, data, and applications that they do not specifically require.
From proof comes trust
The adoption of zero trust means a firm should trust no entity that attempts to access its IT infrastructure. Instead, each entity must continually prove that it has the necessary rights and permissions to access a given area or asset.
Even if a particular user has a valid username and password, the system doesn’t automatically assume that person to be a trusted party. With effective ZTA in place, the network will continue to provide access only to areas for which the particular user has specific permissions. The right security tools can flag the user’s behaviour as suspicious and raise an alert if they attempt to access something outside their usual purview.
Essentially, five elements are critical to establishing a successful ZTA: device trust, user trust, transport/session trust, application trust, and data trust. Currently, most zero-trust technology focuses on the user and device trust areas. However, the other areas are becoming increasingly important in today’s world.
Rather than addressing zero trust just from an identity viewpoint, which is what most organisations are doing, security teams should also add breadth to their programs by addressing it from a controlled access standpoint.
Balancing control and usability
It can be helpful to think about zero trust in terms of a business need to have secure access to digital resources in a way that doesn’t negatively impact users or operations. One way to achieve this is to adopt the element of “data trust”.
Rather than granting blanket access to validated users, a business should hide specific files and data from those who don’t have the authority to access them. This action, in turn, strengthens data protection beyond user-level permissions without impacting authorised users.
By hiding objects such as files, folders, or mapped network and cloud shares, cyber criminals will not find or access the data they seek. Taking this approach can serve as a powerful defence against data theft and ransomware attacks.
Simultaneously, the “application trust” element takes the concept of effective security well beyond user privileges. Focusing only on whether a query is authorised isn’t sufficient because it’s also vital to consider the application invoking that query.
Taking this approach, an IT security team can prevent unauthorised access from applications such as Windows command line or PowerShell, neither of which regular users would typically use to access data.
The “application trust” element can also help identify and deflect attackers attempting to probe open ports and services to compromise. Identifying this type of activity will allow security teams to take prompt action to expel an attacker from a network or misdirect them to a decoy environment.
Taking a broader approach
User and device trust are vital elements in a strategy that ensure only authorised parties gain access to digital resources. However, it is not enough to prevent attackers who impersonate a real user from gaining access.
When a business adds conditional trust for applications and data, they create a genuinely comprehensive architecture. Also, hiding sensitive or critical assets, such as data, credentials, and Active Directory objects necessary for privilege escalation can efficiently prevent attacker access using unauthorised tools or resources. And, because an organisation can tailor these solutions to avoid interfering with daily operations, they make a valuable and frictionless addition to any zero-trust architecture.
Zero trust is not a new concept. However, recent innovations that support least privilege or limited trust have now made this a feasible framework for Australian law firms. By taking the time to understand the strategy and have a layered approach to trust, organisations will maintain effective security even when large portions of their workforces continue to operate remotely.
Jim Cook is the ANZ regional director at Attivo Networks.