Someone once said in an NIS2 podcast about ‘Zero Trust’, “It’s everything the cybersecurity sales want to push on you… As the person responsible for the ICT budget, don’t let yourself be fooled by this.” A practical example of NIS2 Zero Trust, is that you should apply multifactor authentication (MFA) according to the rules of the art. You start by examining what kind of MFA will cover all of the digital payload and user access in your corporate network. Microsoft will tell you that their MFA will do just that. In the mindset of Zero Trust, this is not an accurate statement. Simply purchasing the right subscription and enforcing MFA login on Microsoft 365 or Office 365 (M365 or O365), will not mean that your 365 environment is well protected. If a hacker can follow along in an SSO login on the endpoint itself, where, for example, the user is local admin, they could even get into O365. Therefore, O365 has to be perfectly configured. But who checks your IT vendor? In our last 25 screenings, 50% were improperly set up. You may draw your own conclusions about whether or not we can talk about Zero Trust MFA here.
Not convinced? Then read through this link:
When reviewing the “ISO 27001 Annex A.9 Access Control” policy, we as auditors perform the following risk analyses:
Are all user access points secured? If not, what are the risks with respect to data loss, data reliability and the protection of confidential data? What would the consequences be if essential digital data processes were to be compromised?
Who manages the setup of the MFA? Is there a separation of rights here? An Admin? Will a digital mine go off if MFA rules are circumvented?
If FIDO tokens are used for an MFA login, do they require biometrics to access critical server installations? This will ensure that the login is calibrated.
Etc.
What we want to demonstrate is that we need to go through every scenario and even have them tested by a pentester.
What is the security mindset if zero trust is not implemented as part of the policy?
Traditional IT network security is based on the castle-and-moat concept. With castle-and-moat security, through the use of a firewall, for example, it is difficult to gain access from outside the network, but everyone inside the network is trusted by default. The problem with this approach is that as soon as an attacker gains access to the network, he has free rein over everything within the network.
Via VPN, it’s like a balloon with the right color that doesn’t get shot down. But who is traveling on it? That is difficult for the cannoneer to see.
The rationale for Zero Trust login
A key principle of Zero Trust security is that of “least-privilege access”. This means that after verification through MFA, users only get access to those digital resources that they need in order to do their daily tasks. One might compare this to an army general only giving soldiers the information they need about certain phases of an attack. This way, when soldiers are captured, they will not be able to give up information, even under pressure. By applying this principle to accessing the company’s digital crown jewels, we can minimize each user’s exposure to sensitive parts of the network.
We take our Zero Trust mindset one step further by logging both applications and users in their handling of files, and we monitor the matching of users with their permissions.
Imagine a scenario where the IT director is looking through resumes, in this case, management will be notified. Nosy individuals are unwelcome in a Zero Trust setup.
Implementing “least privilege” implies careful management of user privileges. VPNs are not suitable for a least privilege approach to authorization because logging into a VPN gives a user access to the entire connected network.
In addition to controls on user access, Zero Trust also requires strict controls on device access. Zero Trust systems must monitor how many different devices are attempting to access their network, ensure that each device is authorized, and assess all devices to make sure they are not compromised. This further minimizes the network’s attack surface.
MaaS360, for example, employs a strict form of inventory of authorized applications and is bitlocker active. If a laughing bystander (the hacker) plugs in anywhere in the network, there is an immediate alarm code red.
The historical background:
Reykjavik, Iceland 1986. President Reagan and Gorbachev, secretary general of the USSR, are holding their first meeting on nuclear disarmament. Reagan comes to the table “armed” with a popular Slavic saying taught to him by Russian scholar Suzanne Massie: “Doveryai, no proveryai” – Trust, but verify. These words will form the basis of the 1987 Intermediate-Range Nuclear Forces Treaty (INF), perhaps one of the most important disarmament agreements in modern history.
In today’s volatile field of cyber conflict, NIS2 has taken “Trust but Verify” to the next level: Zero Trust, a crucial foundation for securing data, IT and critical infrastructure. It is vital to the national and homeland security of European nations against hostile hacking attacks of every kind.
It is important to remember that there is no Geneva Convention or other agreement regulating the conduct of cyber warfare, in which enemies can just as easily be found in a neighboring office as they can be found on the other side of oceans and continents. Market research firm Forrester recently noted that insider threats could be the cause of some 33 percent of all data breaches that occured in 2021, making the adoption of the Zero Trust mindset all the more logical.
Long before the term itself was coined by cyber professionals, which included Forrester analyst John Kindervag, who founded the field in 2009, Zero Trust was better known as “Perimeterless” security.
The basic idea is that security should be the main foundation of all IT systems and networks. Every form of “trust” will always be a vulnerability.
This article was checked for spelling errors by Jonatan Nys.
