The mobile and cloud workforce is becoming the norm; gone are the days when everyone sat in a cubicle in front of their desktop.
What haven't changed, for the most part, are security infrastructures. But since new ways of working demand new ways to secure work product, it's high time to look at the Zero Trust security model.
The National Institute of Standards and Technology (NIST) states that Zero Trust assumes that no implicit trust is granted to assets or user accounts based solely on their physical or network location; for example, local area networks or the internet. Rather than assuming a user account is trustworthy, it assumes "Danger, danger, Will Robinson!" – like the catchphrase of the robot in the 1960's TV series "Lost in Space" when warning young Will that he was about to make a mistake.
The catchphrase of Zero Trust could be "Never Trust. Always Verify." NIST believes verification is accomplished through authentication and authorization of the user and his/her device via discrete functions that are performed before a connection to an enterprise resource can be established.
How can you move closer to a Zero Trust security model, or isolate the network for all of your critical assets? Never give explicit Trust to your web browsers. A recent concept, "browser isolation," is designed to meet these needs by preventing malware from reaching devices and allowing end-users to do their jobs. It has become a great tool to help organizations move closer to Zero Trust.
The biggest risks to any environment are the actions of and misplaced Trust on the part of end-users, which is why nearly all successful attacks start from the public internet. That's where your protection needs to begin. If you control users' actions and level of Trust, you'll block attacks at your doorstep by keeping web sessions away from your endpoints.
While some people believe that a web gateway is ample protection, it simply allows or denies access, and life is not that black-and-white. For an organization to run efficiently, it has to allow shades of grey. While adding an anti-malware component to the endpoint helps to catch a grey site, it's only as effective as the existing signatures.
It is unlikely that an organization can become truly Zero Trust overnight; it requires a re-architecture process from the ground up and multiple refresh cycles. Even then, some critical applications may never support Zero Trust. The key is a defense-in-depth approach with a hybrid Zero Trust security model. White-listing allows access to sites you know to be good, blocks access to bad sites, and isolates the potentially ugly grey sites, such as those with third-party advertising. Advertising can be dangerous because you never know what risks might be hidden within it, but since you need access to the page, isolating content protects you.
By sandboxing potentially malicious sites, Hybrid Zero Trust helps ensure that you don't have to worry about:
- Your CEO clicking on a malicious email link contained in a whaling attack, a method that directly targets senior execs and other leaders.
- Your legal department getting rerouted to a malicious site when researching a case.
- Your HR team downloading a new app from a typosquatted site, which takes internet users to a malicious site when they type an incorrect website into their browser.
Another huge benefit of Hybrid Zero Trust protection is that it can save an organization time and money. For example, on one project, eight different machines sent us IPS (Intrusion Protection System) alerts. Upon investigation, we discovered that all of the alerts were for a remote Java execution from a drive-by download in an ad on a sports streaming site. If the browser had been performing Zero Trust, the Java content would have been stripped out before reaching the computers, so there would have been no attack to trigger alerts—and no cause to spend time and money investigating the alerts.
You never know when a zero-day exploit could occur. You trust the major browsers, but should you? Here are some recent stats on vulnerabilities in high-profile browsers, which could potentially allow all kinds of attacks:
- Chrome's most recent vulnerability was on 2/27/2020, with 177 vulnerabilities in 2019.
- Edge's most recent vulnerability was on 2/11/2020, with 90 vulnerabilities in 2019.
- Internet Explorer's most recent vulnerability was on 2/11/2020, with 53 vulnerabilities in 2019.
- Firefox's most recent vulnerability was on 4/24/2020, with 105 vulnerabilities in 2019.
If an attack is successful, you might not discover the breach until six months or more have passed. Can you afford to let that happen, knowing you have a tool at your disposal that can stop it? When the browser is performing Zero Trust or being isolated, attacks should never be successful.
When looking at incorporating Zero Trust, specifically browser isolation, it's best to combine a secure web gateway with an anti-malware solution. Browser isolation is designed to create a non-persistent sandboxed browser session that strips all active content and scans files before presenting them to the user. All actions that the user performs are actually requests to the sandboxed browser that the browser performs on behalf of the user and presents to the user.
To navigate the new risks we face in an ever-more-mobile environment, we need to adapt by adopting new processes and technologies that prevent failure, not to mention making the wrong kind of news as the latest perpetrator of security shortfalls. Like our earlier example with the "Lost in Space" robot, you can prevent danger to Will Robinson—and all your users—with Hybrid Zero Trust.
Organizations can follow a fundamental approach to migrate toward Zero Trust methodology. The most crucial step is to know your environment. Having an accurate and up to date inventory of all assets, applications, and users is critical. Once you understand what you have, you have to look at standardizing where you can; not all products and processes can and will be able to integrate. You cannot have security without earned Trust. Auditing and managing what and who you trust can significantly improve your exposure to risk.
About Enterprise Studio
Enterprise Studio by HCLTech helps you make the connections between IT and business that optimize time and multiply value so you can realize full potential across your organization. Our seasoned technologists, coaches, and educators can help you unlock value from existing IT investments to become a stronger, more adaptive organization – in part by leveraging a BizOps approach so that IT outputs are strongly linked to business outcomes.
We are the leading provider and services partner for Broadcom and Symantec enterprise solutions, so whether you're an established Global 500 company or a new disruptive force in your industry, we can help you navigate complexities that come with competing in an inter-connected digital era. We are also a global solution provider and Tier 1 global value-added reseller of Broadcom CA Technologies and Symantec enterprise software.
Many of our experts at Enterprise Studio are from the former professional services units of CA Technologies and Symantec. For decades, our teams have supported and help lead organizations to innovation using powerful enterprise software solutions and cutting-edge methodologies – from business and agile management to security, DevOps, AIOps, and automation.