Organizations often trust their IT or security teams to be able to manage and prevent cyber attacks. But many organizations’ current infrastructure can allow adversaries to get piped into their networks, through VPNs and similar methods. We need to completely rethink our security strategy and implement more secure solutions like zero trust. Let’s see why and how.
This blog post is based on the webinar “Are you putting too much trust in your security providers?”, which you can access here.
The Importance of a Security Fail-Safe
Organizations often put too much trust in their IT teams. They believe these teams will be able to prevent cyberattacks and data breaches. But this is a misconception. Not because the teams aren’t skilled or are lacking resources (though this might be the case), but because our security strategy needs a complete redo.
Multiple cyber attacks are occurring at any given time and many of them take place in the same way. It starts with a software DLL, piping is set up for continued access, the admin account is accessed on a Jump server, Jump boxes inside the core VLANs are compromised, the attacker finds machine connections and lateral movement progresses.
This is enabled because of our perimeter based approach. Our VPNs, remote workers and third party providers are piping our adversaries into our networks. We cannot change modern communication needs, so we need to change our security methods.
It doesn’t matter how heavily you invest in security. Over the past years, we can see more and more companies that are being heavily breached. SolarWinds is the latest most notorious example, but it is not the only one. Security companies like FireEye, PulseSecure, Fortinet, Portnox and Zyxel have all been compromised, and even Microsoft had its share of attacks. These companies live and breathe security, and they invest hundreds of millions of dollars in securing their own assets. Yet, they are still vulnerable. If they are, so is everyone else.
3 Cybersecurity Myths
There are three common myths revolving around cyber security that prevent organizations from implementing a secure strategy and plan.
Myth #1: Upgrading legacy systems will keep you secure
Many companies believe that upgrading their legacy systems will keep them secure. But upgrading legacy systems is not enough. Turning a system into what it was not originally designed for is sub-optimal and will not deliver what you need, when you need it.
Myth #2: Cloud infrastructure is secure
Companies think that the cloud is secure. But cloud infrastructure is only what its name means: it is infrastructure that enables optimal access. Cloud providers secure the cloud, not what’s in the cloud. Securing data in the cloud is the responsibility of the company.
Myth #3: Security insurance will keep you covered
Many organizations think their insurance will protect them. But getting insurance is not a replacement for securing the network and crown jewels. The legal, ethical and financial repercussions are far more severe and long-term than what any insurance company will end up paying.
As you can see, common conceptions of security are misguided, and still require rethinking our security methods. So the question is: what to do when everything goes sideways? You need to find a fail-safe.
Introducing Zero Trust: The Security Fail-Safe
Zero trust is a disruptive security model that turns network-based security solutions on their head. Instead of securing the perimeter, zero trust assumes no one is to be trusted. If we look back at the latest attacks, we can see why. Companies can’t control everything: bugs, code vulnerabilities, user errors: these things will happen, and they increase the attack surface.
So instead of piping and tunneling attackers into the network, zero trust blocks access to everyone, except for devices and users that have been authenticated. Authentication happens every single time a user attempts to access an asset or system. Thus, modern security needs are answered by design, and not by add-on.
Zero Trust vs. VPN
VPNs were built for a different era. It’s no wonder then that many of the latest publicly-known attacks occurred due to VPN vulnerabilities. A quick look on Shodan will portray a hefty list of exploitable VPNs. Let’s see what a common business use case would look like on VPNs compared to zero trust.
Company X is using a third party for its resource management and maintenance. It’s 10pm on a Friday, and suddenly one of the main services goes down. Unless it goes back, this will cause a massive loss of revenue. At 10:01pm the IT calls the supplier to assist ASAP. At 10:02pm the supplier’s admin requests access to the environment for troubleshooting. Now what?
Scenario 1: The company has an open VPN policy.
In this case, the third party can connect to the server with full admin rights.
However, this can result in injected malware, rights getting stolen, lack of auditing or monitoring and lack of visibility into what the user is doing. This is a very risky approach.
Scenario 2: The company has a strict VPN policy.
In this case, the third party asks for a one time password from the helpdesk, server credentials are provided to establish connection to the server, and an admin has to approve this.
This is more secure, but it still enables access to the network once the user is in, and it is extremely time-consuming and counter-productive. This is a somewhat risky and very inefficient approach.
Scenario 3: Zero Trust Access
In this case, the third party attempts to connect to the server through the zero trust provider. The supervisor is immediately notified and can give immediate access. The user is automatically authenticated and logged in. If the user needs more permissions, the supervisor can connect via mobile to insert credentials with relevant permissions.
Throughout the entire sessions the supervisor can monitor activity from her phone in real-time and revoke access is needed. All activity is automatically logged, monitored and recorded.
No credentials are exposed to a third party, the time to react is low and so is the cost.
As you can see, the zero trust security strategy is a new strategy that answers modern security requirements, and also ends the trade-off between security and productivity.
Never Trust Your Zero Trust Provider
But wait, you might ask, didn’t we start out with never trusting anyone? So why should we trust our zero trust provider? This is an excellent question, and the answer is: you shouldn’t.
When choosing a zero trust provider, ask the following questions:
- Is the user data exposed?
- Who controls and executes access policies?
- Can the ZT provider create users on their customers’ behalf?
- Where are the customer’s secrets (keys, tokens, passwords) kept?
- How does the provider mitigate the risk of internal threats?
- What is the coverage of the provider’s secure access? Does it cover users, networks, apps?
Answering these questions will help you ensure your zero trust provider is not a vulnerable supplier in your chain. Find a supplier that does not put you at risk, if they are attacked.
Cyolo is a zero trust solution with a unique architecture designed to keep your assets and information secure, because we do not hold and control sensitive company information like keys and passwords information.
By securely connecting all users from anywhere without requiring a VPN, and authenticating devices, Cyolo enables employees to focus on their work and your business to grow. Cyolo provides advanced user management features, real-time recording abilities and an easy to use UI. Cyolo can also integrate with your VPNs, if needed.
Cyolo takes minutes to implement and is compatible with any network topology and identity infrastructure. In addition, Cyolo does not have access to the organizational data. Not only does this ensure true privacy and security, it also improves performance as a better user experience. Request a demo to learn more: cyolo.io/demo-request