
Zero Trust Model: How to Prevent Data Breaches
Despite the massive investments poured into cybersecurity, data breaches keep happening. 15% of companies globally stated that sensitive data was probably breached in 2016, and that’s probably an underestimate. Many companies are unwilling to publicly acknowledge data breaches — or may not even be aware of one when it occurs.
There are many causes for the surge in data breaches, but many common cybersecurity problems come down to this: The old paradigm of cybersecurity — focused on protecting the perimeter of a network — just doesn’t work well in a modern computing environment. We need a new framework, the Zero Trust model.
While older forms of cybersecurity rest upon the old adage “trust but verify,” the Zero Trust model can be better defined as “never trust and always verify.”
The principles behind Zero Trust
Forrester Research first coined the term “Zero Trust.” The basic idea behind the paradigm is that no one should be automatically trusted with sensitive data, end users included. Therefore, the default should be to provide users with access that is as limited as possible. Internal activity needs to be monitored carefully and users must authenticate themselves multiple times when necessary.
Zero Trust acknowledges the reality of today’s networking environment. The uncomfortable truth is that many data breaches are caused by internal users’ actions, whether accidental or deliberate. Verizon’s 2016 Data Breach Investigations Report found that 30% of all users will open phishing emails, with 12% clicking on malicious attachments. Only 3% of targets will report the phishing incident to upper management.
As the Bring Your Own Device (BYOD) trend grows, the need to better regulate internal traffic and users is more urgent than ever before. BYOD devices are oftentimes highly attractive to hackers because they offer easier access to sensitive corporate data. This was recently demonstrated in a breach of Bithumb, a South Korean cryptocurrency exchange.
The Zero Trust model is recommended by a report issued by the U.S. House of Representatives Committee on Oversight and Government Reform. By implementing a Zero Trust network, organizations can accommodate new technological trends such as BYOD and the cloud without providing open access to sensitive data.
Putting Zero Trust into practice
So that’s the principle behind Zero Trust. To put Zero Trust into practice, your infrastructure must pay attention to users, devices, and the network. Here’s how that works.
Zero Trust on users: It is easy to obtain user information through popular methods such as phishing, social engineering, and keyloggers. This is particularly true if passwords are your own form of authentication. Even two-factor authentication, long seen as the gold standard, has serious limitations. For more on why passwords are inadequate authentication, see this article on password myths.
Zero Trust on devices: Assume that every device can be hacked and implement appropriate protections. Your employees will probably be using BYOD policies, so you’ll need to implement policies for monitoring those devices and traffic.
Zero Trust on networks: It is very possible that networks can be compromised from the inside. In anticipation of this threat, networks should be internally segmented so that access to the network doesn’t mean access to all corporate data. Trusting network is even more difficult if employees work from home or anywhere else outside of the company’s network.
Three steps towards implementing Zero Trust
To improve your cyber safety and begin the process of implementing Zero Trust, start by taking these three steps:
- Rethink your reliance on passwords and two-factor authentication. As long as passwords remain your primary method of authentication, you are reliant on users to secure company data — a dubious proposition. Consider no password authenticators that doesn’t rely on manual entry of credentials.
- Next, implement continuous authentication. This is the only method to ensure that the end user really is the same person who has access to corporate data and remains so throughout a user session. Although some methods of continuous authentication can be ineffective or onerous for users, NoPassword leverages AI technology to provide continuous and adaptive authentication of users.
- In conjunction with continuous authentication, adopt best practices for user provisioning. Robust user provisioning practices will ensure that the only users who receive access to sensitive data are those who must receive access.
To see how NoPassword’s system works within a Zero Trust model of cybersecurity, contact us and set up a demo.
Originally published at www2.nopassword.com on July 25, 2017.
