Increasing numbers of organisations are moving to a Zero Trust security model. The growing frequency and sophistication of cyber threats is driving the popularity of this model which takes a robust ‘never trust, always verify’ approach to security.
The National Institute of Standards and Technology (NIST) defines a Zero Trust Architecture as: “an evolving set of cyber security paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.”
The growth in popularity of Zero Trust is in direct response to business trends that include the sharp rise of remote users, the increase of personal devices used for business purposes, and the continued migration to the cloud. An enterprise network boundary is no longer clearly defined and finite – it has expanded and blurred, which presents significant security challenges.
Traditional security thinking does not fully consider the increased vulnerabilities of the enterprise security perimeter, nor does it recognise the ability of threat actors to bypass security measures. It therefore mistakenly believes that everything inside of an enterprise’s security perimeter can be trusted. Zero Trust, on the other hand, distrusts everything inside an organisation’s network, as well as everything outside.
However, a true Zero Trust architecture is challenging to implement, and must be considered holistically.
Going beyond identity management
Identity management is a core pillar of a Zero Trust architecture, and many companies have implemented technologies that allow them to be confident that users are who they say they are.
However, identity verification tools such as biometrics and multi-factor authentication (MFA) cannot in isolation be relied on to create a Zero Trust environment. Why? Because a device that has been compromised – perhaps through a man-in-the-browser attack or an MFA bypass – is not only accessible to the verified user, but also the cyber criminal or criminals that instigated the attack.
Online banking is a compelling example of the shortcomings of user verification tools – here it is not uncommon for authorised and authenticated users to fall prey to cyber attacks, as more often than not, it is the user’s computer, laptop or mobile device that holds the vulnerabilities that could be targeted by threat actors.
This is why financial services organisations are in a continual battle with criminal gangs who seek to target the endpoint weakness to steal money. Fraudulent activity is enabled by ever-more sophisticated attack techniques, which allow threat actors to get around traditional security measures.
In this example, the risk is permissible, and the resulting financial loss is accounted for in online banking business models. But for many enterprises, the business impact of a security breach would be so significant that no CISO could in good faith accept that risk. It could provide cyber criminals with access to vital networks, or sensitive business data, that could impair an organisation’s ability to operate, while also irreparably damaging its reputation.
The endpoint security requirement
It is clear that a critical component of creating and maintaining a Zero Trust architecture is endpoint security, but this task is more complex than it may first appear.
Firstly, whether or not an endpoint is adequately secured is contextual – it depends on the task in hand. In other words, an endpoint may be deemed ‘secure’ to access one resource, but may not be secure enough to access another, more sensitive, resource. Another complicator is the rise of remote and hybrid work patterns, which has led to a sharp increase of machines and mobile devices accessing company resources and networks. What’s more, the bring your own device (BYOD) trend has meant that, like in the online banking example, the security status of employees’ personal devices being used to access critical networks is unknown. Enterprises find themselves unable to implement universal security measures for those devices accessing company networks.
This problem is exacerbated further by continued cloud migration. Many cloud providers focus exclusively on user identity verification and do not offer endpoint security support, which does not adequately address the security gap.
Typically, cloud providers that do support endpoint security approach this by making access conditional on the source IP address. There is an obvious flaw to this tactic: the modern workforce is mobile, accessing data and applications from a variety of locations. A more effective approach would be if each device’s security levels were used to determine whether a verified user could access company networks and data.
Conventional security is no longer up to the job
Organisations have historically relied on detection-based tools – such as firewalls and endpoint detection and response – to spot malware once it has infiltrated an organisation’s security perimeters. But these traditional methods cannot stop malware from entering in the first place, and neither can they defend against zero-day attacks.
Malware often enters an organisation’s network using targeted social engineering, which is designed specifically to exploit human error to get past an organisation’s security defences. Since it is impossible to protect against these socially engineered attacks 100% of the time, organisations are highly vulnerable to phishing.
Another security strategy takes the approach of restricting access to the internet. Although this reduces the opportunity for devices to be compromised, it also has the unintended effect of limiting employees’ ability to do their jobs, since most workers rely on the internet to varying degrees.
In today’s threat environment, traditional perimeter-based defences are insufficient.
A Zero Trust solution
Growing numbers of government agencies as well as security-conscious organisations are turning to Browser Isolation as a Zero Trust solution that enables uniform endpoint security, regardless of where an employee is based. And it does this while still giving users unrestricted access to the internet. Browser Isolation creates a barrier between the user’s device and the internet, eliminating the risk of users coming into contact with malicious malware, and thus of malware entering an organisation’s network.
Full Browser Isolation creates an impermeable separation between endpoints and the internet through ‘Pixel Pushing’ – in other words, the conversion of browsed web content into an interactive, video representation of the web. This completely removes the possibility of all malware attacks, regardless of the sophistication or frequency of these threats.
By taking a Zero Trust approach, and assuming that all internet content is malicious, Browser Isolation provides strong endpoint security.
A holistic approach to Zero Trust
For many organisations, endpoints present a significant security vulnerability and are the biggest barrier to creating and maintaining a Zero Trust environment.
But a Zero Trust architecture is not a straightforward single point solution. It is a holistic way of approaching security driven by the goal to protect company networks and secure sensitive data, but without compromising the business requirements for flexibility, mobility and rapid innovation in an online world with an ever-growing threat level.
Co-founder and CSO
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.