Why is Zero Trust more important than ever before?

Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at National University of Public Service

Created: 2021-10-18

In the age of ransomware and supply chain attacks, how can organizations defend themselves? One of the possible answers is Zero Trust.

If we wanted to highlight the two most serious cyber threats of 2021, they would undoubtedly be ransomware and supply chain attacks. According to data from the Information Commissioner’s Office in the UK, 22% of reported cyber incidents were ransomware in H1 of 2021, which is double in comparison to the previous year. We can mention the notable Colonial Pipeline or JBS cases, which have set alarm bells ringing among cybersecurity experts. Supply chain attacks are not as visible as ransomware, as they stay under the radar, because they are mostly used by nation-state actors who want to steal information or prepare for a large-scale cyber operation. The Solarwinds attack is a good example of this attack vector.

The one-million-dollar question is, how can we defend ourselves? Ransomware groups are always able to find that one person who will click on that one PDF file with a payload. APT groups have almost unlimited resources to carry out a supply chain attack. Meanwhile, organizations have a very limited budget and technology for defense. Even the well-resourced U.S. government had to admit that it can’t protect the federal IT systems and needs to improve both legislation and human/technology resources.

One of the major advantages of the U.S. government is that it can write legislation and provide money for technology. On 12 May 2021, U.S. President Joe Biden announced his Executive Order 14028 on Improving the Nation’s Cybersecurity. Its major message is that “the Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks, and invest in both technology and personnel to match these modernization goals.”

Surprisingly, none of the above-mentioned technologies are new. Cloud technology has been widely used for more than ten years. The Zero Trust security model is even older; it was first mentioned in 1994, though it became widely known at the beginning of the 2000s. Widely known, but not yet that popular. The reason is that the adaption of the Zero Trust principles requires the redesign of the whole security architecture. CISA’s Zero Trust Maturity Model defines seven requirements for a Zero Trust architecture:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

Though Zero Trust is more about cultural change than tons of new products, that doesn’t mean it is a completely painless process. Even so, it’s the right time to start this cultural change. It is true that it perhaps should have been done at the beginning of the last decade, when end-users first began using their own devices (BYOD). Mid-2010 might also have been a suitable time, as companies started turning to the cloud. The good news is that we also have momentum in this area currently, as remote working has become the new norm in the last one-and-a-half years thanks to COVID. When everything is traveling in the same direction anyway, why not begin implementing Zero Trust now? Current threats can’t be managed without Zero Trust, legislation requires its implementation, and digital infrastructures are shifting to a more inclusive setup. And when it comes to digital infrastructure, although we wrote that the Zero Trust principle is more of a cultural change than a new technology, it doesn’t mean there aren’t advanced products that could help with the transition. We at Balasys are working on and with technologies that are perfectly suited to this kind of architecture.