When reading about cyberattacks in the news, the ones that often make the splashiest headlines are those spearheaded by cybercriminals with malicious intent. Amid the media frenzy that ensues, however, we forget about insider threats. It is often on account of an employee or other stakeholder within the company that leaves the proverbial door cracked open to an organization’s systems and data.
Consider the SolarWinds supply chain attack that hit hundreds of organizations, including government agencies and Fortune 500 corporations. Phishing is also one of the most common attack vectors through which malware is spread. According to a Fortinet study, 38% of cybersecurity experts cite phishing as the biggest vulnerability, leading to accidental insider threats. In other cases, the opportunity arises from a data breach. Many of these examples can also be attributed to human error, be it a misconfigured cloud storage bucket or an unauthorized download. Cybercriminals brought Colonial Pipeline’s operations to a grinding halt due to a neglected VPN account and a leaked password, for example.
This is by no means an attempt to shame the victim or lay the burden on these individuals; their mistakes do not justify the nefarious actions undertaken by the threat actors of the world. It does, however, highlight an important truth: mistakes will inevitably be made, and unless organizations work to cushion the impact, the consequences could be dire.
The Importance of Zero Trust
It’s no wonder, then, that security experts have long championed the implementation of zero trust architecture, with US President Joe Biden recently doubling down on this in an executive order.
As the name suggests, the premise of zero trust is to adopt the mentality that the company’s network has already been breached, and no person nor device should be trusted until verified. Delving deeper, the model is built on a handful of key tenets. The first is having visibility of all devices, users, data, etc., that exist as part of the network, including how they interact with one another and how they move about the system. Then there is authentication; notably, multi-factor authentication, whereby a combination of ‘something you know,’ ‘something you have,’ and ‘something you are’ helps validate the user’s identity. Chief among the tenets, however, is the principle of least privilege. That is, limiting a user’s access and permissions so that they may successfully carry out their job but nothing more.
The good thing is that most organizations do recognize the importance of the zero trust framework. A recent OneLogin survey of over 700 technology leaders found that 75% understand it to be a key driver in breach prevention. Also, 71% claim to understand it and know how to apply it. Yet, in practice, only a mere 11% of organizations have it in place. Interestingly, 62% of organizations are either still in the planning stages or in the process of implementing the model, while 16% have no plans at all. In fact, 66% have admitted that some or a few users are granted access privileges beyond what they require, and 18% have even conceded that all their users are given excessive privileges. This begs the question: why?
Implementation Challenges and Solutions
Unfortunately, many organizations are working with legacy systems and do not have the capacity to make changes abruptly. Not only is it a complex undertaking, but also a costly one, with the potential to temporarily stop operations altogether. What’s more, the recent mass shift towards remote working, as well as a general uptick in BYOD (bring your-own devices), has made matters more complicated. Suddenly, security teams are having to maintain visibility on a much larger and distributed attack surface. They are also likely to be overwhelmed with all the moving parts (not least of which is the ever-changing roles and functions of employees and their demands for different permissions at any one time). Failing to keep up could impose unnecessary friction on employee and company performance. Simply put, security and IT teams are faced with the gargantuan task of balancing security with productivity.
This is where a program of tailored, custom administration can offer a real boon to an organization’s security roster. IT teams can effortlessly customize admin privileges down to a granular level with tools like these, from assigning permissions as broad as ‘superuser’ to as limited as ‘read-only access for these three users.’ The time-consuming and manual process is also completely eliminated, allowing the team to focus on more pressing matters without compromising security. For instance, rather than assigning privileges to each user individually, the tool enables privileges to be assigned according to the job roles. Paired with a user-friendly identity management platform, the mission to create a zero trust model becomes nothing short of achievable.