What is Zero Trust?
If you’ve read about security trends lately you might have run across the buzzword “zero trust”. I have to admit, it took me a while to understand this term fully – and that’s because there are a variety of definitions out there. When it comes down to it, zero trust is a way to approach cybersecurity that requires all users inside or outside of an organization to verify their identity. The approach essentially assumes that no person, device, or digitally generated request (think “i am not a robot👾) can be trusted to access business assets prior to authentication.
Why is zero trust needed?
Do you know the most common way for attackers to break into your organization? They pretend to be someone the organization already knows. That could be an employee, a vendor or even a customer. Identities are a hot commodity on the dark web. Stolen usernames and password databases are easily available for purchase. Cybercriminals know that if you’ve used a username and password for one login you might have used it somewhere else.
Your digital identity has become the new perimeter for organizations to defend. We’ve moved corporate-approved devices to personal phones, tablets, watches, and any device that requires data and application access. With employees continuing to work from multiple locations and devices, IT departments have lost visibility and control.
How are attackers exploiting my identity?
Threat actors use a variety of methods when using your credentials to attack an organization – some of the most common are:
- Credential Stuffing: obtained credentials are used to attempt to log into another service. Attackers are thinking: “maybe they used their Netflix password for their email password”. But attackers are using a whole database of information just hoping one will work and grant them access.
- Multi-Factor Authentication Bypass: Multi-Factor Authentication (MFA) is typically used to prove you are who you say you are. When you sign into an account – you have to verify on another device that you meant to log into that account. So even if an attacker had your login information, they couldn’t verify on your secondary device that they were you. However, attackers found a way around that. They work to tire you out. They will keep requesting you to approve the login until you give in. There are stories of an attacker sending the request over 500 times until the user gave in.
What goes into a zero-trust approach?
A zero-trust security strategy follows a few core ideas: continuous verification, limiting the damage, and the right information to make decisions.
- Continuous verification: “Never Trust, Always Verify” must become your way of life. There is no person or device that’s trusted at any time. Why? Because people are not static. They evolve and change with their roles, profiles, habits, and positions. Life is a dynamic thing that requires an evolving state of protection.
Now the question is how do you continue to ask someone if they’re real without annoying them? You can implement risk-based access. A user can log in once and will only be asked to log in again once their risk changes. That could mean that they’ve gone to a malicious site that’s flagged by your monitoring systems or approved a new device. They may not have malevolent intent. They simply want to improve their productivity with unapproved applications.
- Limiting the damage: The key to maintaining a healthy balance between the desire to perform better and malicious intent is visibility that provides an automated response. Only giving people or applications access to the information that they truly need access to is important. Taking action first, followed by an assessment of the situation, supports the balance of protection and the changing business needs of each individual.
- The right information: Your organization needs to gather a variety of information in order to make the most effective security decisions. You need to know who you’re protecting, what workloads, endpoints, and networks need protecting and what standard behavior looks like so your system knows what peacetime looks like and what wartime looks like. And then translate your approach into automated policy enforcement. This is a daunting exercise that can be simplified with pre-populated application templates and the flexibility to adjust by use case as needed.
How can Lumen help?
Implementing a Zero Trust Network Access (ZTNA) solution can help your organization move away from weak and ineffective components in your security architecture and solve a variety of challenges, including consistent security strategies across hybrid environments, securing remote workers and unifying security across legacy and modern IoT devices. Again, the up-front work of zero trust adoption requires expertise that many businesses may not have in-house. Lumen provides multiple managed service options to lay the foundation for a successful transition to zero trust including and management implementation. Lumen’s Secure Access Service Edge (SASE) combines network, edge computing and security (with ZTNA) to provide your organization with a holistic approach to defending against the ever-changing threat landscape.
Find out how your organization can add SASE and implement zero trust.
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.