Vibin Shaju, Presales Director, EMEA Enterprise, McAfee, tells us how a Zero Trust model can create a strong foundation for holistic security and why it is required, particularly as the Coronavirus pandemic caused a surge in the number of data breaches.
Prior to the emergence of the COVID-19 pandemic, the business case for cloud computing had been convincingly established. Business agility, control over IT costs and significant reductions in complexity were all there for the taking. All that remained was for forward-thinking stakeholders to take the plunge.
Some of the last hurdles to be cleared in winning over die-hard doubters were compliance issues — particularly those imposed by regional governments on the issue of data residency. AWS, Microsoft and Oracle all established cloud data centres in the GCC region before the pandemic, in part to address data residency concerns across the Middle East.
Then COVID put public and private organisations across the region on the back foot. Before long, however, enterprises dusted themselves off and headed for the cloud, not for the convincing business case, but out of necessity. Industry pundits spent the next few months revising cloud-spend projections upwards. Mid-2020 predictions from IDC, for example, foresaw Middle East, Turkey and Africa (META) cloud investment hit US$6.5 billion by 2024.
The other shoe…
Amid this mass migration, an unwelcome — but not altogether unforeseeable — by-product reared its ugly head. Digital opportunists, driven by the perceived unpreparedness of cloud migrators, took advantage of new vulnerabilities, and struck. The UAE alone faced a 250% increase in cyberattacks in 2020 and the government’s own Head of Cybersecurity attributed much of the surge to WFH conditions.
IT teams had delivered on productivity, employee satisfaction and business agility, but failed to account for the hunger and effectiveness of bad actors. It is an unfortunate fact of cloud life that hybrid architectures that require sensitive data to cross several corporate boundaries make for tempting targets. In addition, those working from home do so on devices that may not be sufficiently updated to account for software vulnerabilities.
The convenience of quick delivery was impossible to refuse. Being able to go — almost overnight — from a cumbersome, on-premises business with little or no capacity for remote work, to an agile, work-from-anywhere enterprise with scalable infrastructure and predictable costs was something no business could pass up when faced with the realities of lockdowns and social distancing.
Perimeters become irrelevant
But every element — device, platform, service, domain — added to the corporate network during the transition brought risk to the business. The attack surface ballooned and personal data and intellectual property found themselves in new jeopardy. Indeed, to the cybercriminal, the Coronavirus was the gift that kept on giving. They cynically leveraged the pandemic in phishing campaigns, posing as health providers or global medical research centres to lure a fearful public to fake websites or other unsafe resources. Other campaigns simply exploited known vulnerabilities in widely used applications to gain access to networks.
Such campaigns end with an attack that has already breached the perimeter. If preventative measures such as firewalls, VPNs and security information and event management (SIEM) are all that exist to protect sensitive data, they will fail in these new hybrid environments.
Simplicity in hybrid networks is reserved for the end-user. Complexity is the architectural reality; and that complexity can lead to problems in a miasma of cloud services and applications. IT may try to rein in users and their devices by patching together a tapestry of solutions, but multi-vendor suites only add more headaches. And they can make life difficult for threat responders when it comes to chasing down an alert. To many false positives make effective mitigation and response problematic at best.
Who do you trust?
As a remedy, we should adopt a model that carries a default distrust of users, devices and applications, and centres on identity management to keep unwanted parties at bay. In this Zero Trust model, IT teams are back in the driver’s seat, with control over the entire network and every component and process within it.
The health of a device, the user’s location when accessing the network and a host of other factors will come together to give a trust assessment that controls access based on risk. In the cloud-first universe, Zero Trust can reduce threat levels while enhancing compliance. The resultant view for threat assessors is one of user behaviours and device usage mixed with data flows and business processes. This is instrumental in providing a comprehensive real-time picture of emerging threats, which allows rapid action and prevention.
To implement Zero Trust well, IT stakeholders must establish a roster of users and their access levels to data and services. Privileges should follow a strict recipe of trust combined with corporate need. Sensitive material, for example, should be made accessible only to a confirmed identity who needs it for their work.
Bad actors beware
Under Zero Trust practices, identity confirmation should include Multi-Factor Authentication (MFA). Rapid detection of anomalies requires constant monitoring of data transfer and user behaviour. MFA should apply to any major transfer or content access, even if a user is already running an authenticated network session.
Distrust by default may seem distasteful, especially if corporate culture encourages person-to-person trust among team members. Culture changes may require a strong messaging campaign that stresses that digital Zero Trust in no way impugns the character of employees. On the contrary, it is designed to protect them and the company from nefarious outsiders whose motivations are far from charitable.
Zero Trust creates a strong foundation for holistic security, which empowers IT with control over — and confidence in — their environment. The system means bad actors will never be able to provide verified credentials and will be denied access to sensitive data in the cloud. And finally, the cloud can live up to its reputation as a best-of-all-worlds breeding ground for agility and innovation.