Fortifying the Foundation: Empowering a Zero-Trust Security Paradigm
Zero-trust has become a significant trend in global cybersecurity as organizations adapt to a world where perimeter security no longer offers sufficient protection.
Research by Microsoft reveals that zero-trust is the top priority for security decision-makers, with 96% reporting that they consider it critical to their company’s success. The increase in remote working and the growth of hybrid cloud use have warped the traditional definition of the network perimeter. Recognition that digital transformation has resulted in an attenuated attack surface has meant that enterprises can no longer rely on securing the perimeter to mitigate threat actions. Significant supply chain attacks such as SolarWinds and the growth of double-extortion ransomware gangs have helped stimulate the move from static defenses and network-based perimeters to a focus on users, assets and resources.
Zero-trust has come to the fore as an approach that departs from traditional network security, which automatically trusts users and endpoints within the perimeter. Instead, it requires all users, whether from inside or outside, to authenticate themselves and be continuously validated before they are granted access privileges to resources, including data and applications.
It regards all network traffic as untrustworthy, whether in the public cloud, private cloud or on-premises. It assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location (local area networks versus the internet) or asset ownership (enterprise or personally owned). In most, but certainly not all, zero-trust implementations, users must authenticate themselves using multifactor authentication. However, not all approaches to zero-trust are created equally, and care must be taken not to rely on legacy approaches to security while adopting this new philosophy. Otherwise, we risk repeating the same mistakes and getting the same flawed results.
NIST and the Need for Zero-Trust to Evolve
The U.S. government’s listing of zero-trust within a NIST standard has provided a tailwind for zero-trust, converting what had been a buzzword concept into a nicely developed foundation for action. Yet, to remain fully hardened against emerging threats, adopting zero-trust must imply adopting new ways of thinking about authorization and less reliance on the legacy approaches to security based on the ideology of perimeter defense.
Organizations need a more focused and purposeful zero-trust framework for protecting data. This should encompass zero-trust encryption practices to mitigate data vulnerabilities at rest and eliminate data exfiltration. Companies must also address one of the most significant weaknesses in most zero-trust models–the reliance on centralized identity and access management (IAM).
The authentication on which zero-trust relies is only as good as the directory services or IDP it uses. If there is any compromise of either, the whole system is at the mercy of hackers once inside the software-defined perimeter. The frequent checks on identity and privilege are rendered useless as an attacker can misuse compromised credentials to satisfy multiple authentications, layer after layer.
And while encryption and cryptography are recognized as critical elements of zero-trust, centralized key management renders the approach flawed. Fortunately, this flaw can be eliminated by adopting a distributed key management system that facilitates multifactor encryption. This enables a highly secure method to verify users to decrypt files. It is an approach providing an orthogonal path of verification in relation to standard directory services. It achieves the same goal using an unrelated methodology not tied to directory services.
Distributed Key Management
Distributed key management systems work by splitting encryption keys into shards across multiple devices. Organizations encrypt their files using AES-256-bit military-grade keys in the cloud or on-premises.
The keys are automatically split between multiple devices or a key shard server. Authorized users decrypt files by tapping an “approve” button on their smartphone or via servers that are untethered from the enterprise’s directory services. Policies can be created to avoid repeat authorization to comply with human-centric working practices for specified periods. In accordance with each organization’s policy, every request is evaluated individually in alignment with the zero-trust principles of enforcing least privilege contextual access to resources.
A quorum requirement for key shards provides strong security when users attempt to decrypt files, denying them access. A distributed solution requests the correct key fragments from the respective user attempting to access the file.
If logged through SIEMs or SOCs, a mismatch during an attempted decryption event will automatically trigger an alert. This removes the danger of hackers tricking monitoring systems by taking control of devices through exploits and unpatched vulnerabilities.
For large enterprises, distributed key management has the advantage of being a highly flexible approach to a higher data security standard, protecting various types of files with varying access levels.
Revolutionize the Security Paradigm
To fully harness the power of zero-trust, organizations must integrate distributed management of multifactor encryption keys into their strategies. This integration empowers them to embrace genuine zero-trust, fortifying protection in response to emerging threats and the dynamic nature of modern work environments.
By embracing this approach, organizations can transcend the limitations of traditional security models, paving the way for enhanced security, resilience and adaptability. It’s time to revolutionize security paradigms and unlock the full potential of genuine zero-trust.
