The White House recently released a new cybersecurity strategy which seeks to curtail the risk of cyberattacks against government infrastructure. A very clear message with specific emphasis on government agencies to adopt a zero-trust approach in the face of cybercrime against the US government. Whether or not this is long overdue action in the face of the Solar Winds attack, a breach that massively affected the US government and its corresponding infrastructure, it is certainly welcome news for those who champion the zero-trust methodology as a system of approaches that offers robust defence against cybercrime.
Over here in the UK we rely on the National Cyber Security Centre (NCSC) to guide us in all things cybersecurity. NCSC is an organisation of the UK Government that provides advice and support for the public and private sector in how to avoid computer security threats. Its parent organisation is GCHQ. So, in light of the news from the US, what has the UK Government done to protect itself and its institutions in the war against cybercrime, and should they follow suit with a rallying cry for zero trust?
There has been much discussion regarding organisations moving towards what is known as a zero-trust architecture – effectively a cybersecurity methodology whereby users and devices alike are granted permission to only access the necessary network resources for the particular task they are working on, with the proviso that the requisite authentications are raised on a case-by-case basis. The concept of zero trust is to basically trust nobody and adopt the default position of denial – essentially, assume that everyone has bad intentions until you can robustly prove that they do not.
It is likely that the idea behind zero trust is based on the impossibility of defending against every type of cyber-attack – there’s no magic bullet here. So, if you can’t control the tide of threats and every new nasty bug, what can you control and where is it best to employ your energy? Well, you can take greater control over system access. It is measurable and it is quantifiable. And so, by shining the spotlight on system access you gain greater ‘overall’ control when it comes to your organisation’s security. So, think of zero trust as a theme, it is not a single off-the-shelf product or solution.
So, what are some of the elements that make up a zero-trust approach?
Stronger enterprise identity
Identity and access management (IAM) addresses the need (under the mantle of zero trust) for the appropriate individuals to access the correct resources at the right times and for the right reasons. IAM has become increasingly relevant with shifting technology environments caused (largely) by increasingly different ways in which we ‘work’. In the good old days, the vast majority of people worked in a physical office using office PCs / technology with a physically centralised network and very defined network perimeters. These days, thanks to the emergence of cloud computing and remote working due to COVID, workers want access to the same company resource but from myriad locations and a variety of hardware (smart devices, mobiles, laptops etc.). And if you throw in a good dose of increasingly rigorous compliance requirements, it is clear that a robust mechanism should be in place to maintain high levels of security.
Multi-factor authentication (MFA)
Multi-factor authentication falls under the remit of IAM. MFA is an electronic authentication method whereby users are given access to resources (website, apps etc.) but only after successfully presenting two or more pieces of evidence (otherwise known as factors) to a mechanism that can grant authentication. MFA therefore protects data from being accessed by cybercriminals who ordinarily could do so by knowing a single password. And within the scope of MFA, we have hardware authentication – basically, user authentication that employs a physical device along with a password to enable access to resources. You might be familiar with this if you use online banking and get sent a one-time password (OTP) to your smart device which needs to be input along with your usual credentials. In this scenario, without the OTP a hacker in possession of a user’s password is unable to gain access to the system.
Interestingly, the White House’s proposed strategy specifically addresses hardware-based authentication tokens like access cards, rather than push notifications or SMS. Others see problems with hardware-based authentication devices due to loss or theft of the device, which leaves the user with a login headache.
An important zero trust architecture design principle whereby each and every device that your organisation owns should be uniquely identifiable in one device directory. This allows you to manage your assets efficiently and gives a clear and concise picture of all of the devices which access your services and data. When it comes to you defining zero trust policies, compliance and health claims from a device are used in order to make decisions about which data it can access and the actions it can perform. Without a strong identity, these claims cannot be validated. Under the recently announced US strategy, agencies were instructed to produce a complete inventory of every device authorised and operated for official business, which would then be monitored under Cybersecurity and Infrastructure Security Agency (CISA) specifications.
The case for zero trust is watertight – no wonder the US is leading the way here. With the technology environment shifting and traditional office-based computing practically disappeared, the challenges for IT security are myriad. It makes sense to control what you have the power to control, an approach instilled within zero trust. Let’s hope the UK’s Parliament takes heed.