Zero Trust will be the Leading Strategy for Cybersecurity and Risk Management in 2023

DoD and Forrester emphasize role of Zero Trust as cybersecurity strategy

Strengthening Vulnerable Cyber Infrastructure

Zero Trust has entered the cybersecurity fray as a leading solution to mitigate and reduce vulnerabilities. This strategy is relevant for IT infrastructure all over the world: a recent Radware report establishes that over 99.5% of global organizations deploy applications in the public cloud[1].

However, public and multi-cloud environments pose significant risks when it comes to data leaks and breaches. The same report states that “69% of organizations can trace data breaches or data exposures to inconsistent application security configurations across the different public cloud platforms.”

Both the public and the private sector have already witnessed how expensive these breaches can be, in terms of lost productivity, reputational damage, IT repair/mitigation, and ransom costs.

Sophisticated Cyberattacks

Incidents like WannaCry in 2017 showed just how strong an impact cyberattacks can have, with computers in over 150 countries affected[2] and an estimated cost of $4 billion globally. The ransomware spread across industries as well, including healthcare, education, manufacturing, financial services, and telecommunications.

Costs associated with cybercrime have only increased in the years following, with larger entities targeted. Research collected by Ivanti showed that ransomware has increased by 446% since 2019[3]. In 2022 alone, major organizations like the Red Cross[4], Toyota[5], Twitter[6], and CashApp[7] have reported breaches, with records in the tens of millions affected. The Irish Data Protection Commission recently fined Meta[8] for GDPR violations to the tune of €265 million for exposing PII of over 533 million users.

Threat of Pipedream

In April 2022, the Department of Energy, the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI issued an advisory for a malware toolkit dubbed Pipedream[9], “the most versatile tool ever made to target critical infrastructure, like power grids and oil refineries.” This toolkit was designed to target and cripple industrial control systems in critical infrastructure sectors.

Dragos, an industrial cybersecurity firm that helped analyze Pipedream, affirmed at Forrester’s 2022 Security and Risk conference[10] that cyber-attacks are increasingly being carried out by nation-states, targeting critical infrastructure sectors, including chemical, manufacturing, and energy plants.

Thankfully Pipedream was evaded by proactive cybersecurity measures and patches before it could be maliciously deployed. However, this is one example of how cybercrime will be used by nation-states, with the trend likely to increase as cyberattack strategies are improved. By carrying out remote attacks, nation-states can potentially debilitate and undermine another country’s ability to react and defend, all while denying responsibility.

It’s a new phase of warfare that isn’t all that new – countries have always used shadow entities to handle less than savory missions; software has simply become the most recent tool of choice.

Modern Problems Require Modern Solutions: The Dawn of Zero Trust

In their keynote address at the Forrester Security & Risk Conference, Renee Murphy and Allie Mellen cited internal reports that revealed “business continuity is the number one priority for cybersecurity teams over the next 12 months.”[11] The overlap between business continuity and cybersecurity is trust. Yet it’s not enough for businesses to have a robust cybersecurity strategy; they must also have consumer trust.

7 Levers of Trust: Accountability, Consistency, Competency, Dependability, Empathy, Integrity, Transparency

Ironically, the way we build consumer trust is by establishing a policy of not trusting anyone, otherwise known as Zero Trust. This framework is highlighted as the leading strategy to ensure business continuity by preserving consumer trust and effectively responding to evolving threats. It accounts for the evolving and fluid nature of the network edge, otherwise defined as the point of connection between a device or local network and the internet.

Connections between devices, applications, and cloud, on-prem, and hybrid networks are only increasing, which makes this network edge vulnerable. Organizations must also factor in remote work connections, hybrid cloud networks, and increased risk of cyberattacks or malware exposure. These connections and risk factors make securing the network edge ever more difficult for system admins.

How Does Zero Trust Work?

Zero Trust is a system of “least privilege” where users only have access to the data they absolutely need. This permission must be actively enabled or allowed, and the default status is to deny access. This ensures no unauthorized access to sensitive or confidential information.

A Zero Trust framework operates on a principle of continuous identity verification and least privilege access. In effect: anyone accessing the network must be authenticated (not just once, but consistently) and they will only have access to the data they absolutely need (to contain the damage in the event of a breach).

One of the major benefits of Zero Trust is that it provides protection against possible data leaks and breaches, including those stemming from insider threats. Joseph Blankenship, Research Director at Forrester, stated that “26% of data breaches are caused by insider incidents, most of which are malicious”[12].

Forrester Analysis of Zero Trust

Over the next three years, Forrester analysts anticipate that the weakest points of IT security will remain individuals, with a need for identity-focused protection (“identity as a perimeter”)[13].

As part of the Forrester panel on insider risk, Dr. Caputo emphasized that adversaries are looking for targets inside organizations struggling with psychological-financial strain: “it’s not how much debt someone has, but how that debt makes them feel.”

This is where the full concept of Zero Trust shines, not just as a technology solution but as a cultural mindset. By using a model of least privilege and repeated verification, granting data access can become a more granular process. Stronger, built-in controls and protections help make processes around using data and collaborating with teams more secure, without compromising productivity.

Department of Defense Embraces Zero Trust

The U.S. government has been hinting at their investment in an updated cybersecurity strategy across various departments for several years:

  • 2018 – CISA formed as a branch in the Department of Homeland Security to focus on the government’s official cybersecurity posture.
  • 2020 – Cybersecurity Maturity Model Certification (CMMC) program launched by the DoD.
  • 2021 – an Executive Order was issued, mandating investment and restructuring of federal information security systems.

The Executive Order explicitly included references to Zero Trust framework as part of the updated cybersecurity solution. CISA advisories have also urged government and private sector organizations to begin developing Zero Trust security strategies.

Most recently, the Department of Defense released their Zero Trust Strategy and Roadmap for implementation by FY 2027. This roadmap includes base level and advanced Zero Trust targets across seven pillars: user, device, application & workload, data, network & environment, automation & orchestration, and visibility & analytics.

7 Pillars of Zero Trust by US DoD

Other government departments will follow suit to create comprehensive security for the entire network surface, along with global and local governments and the private sector.

This adoption cascade will create a more resilient, responsive cybersecurity network across industries, sealing dangerous loopholes and preventing data leaks that could possibly lead to catastrophic data breaches. Zero Trust is the framework that provides both a technological and cultural goal post for the coming years.

 

Article written by Katie Gerhardt, Jr. Product Marketing Manager

 

References

[1] Radware. “Application Security In A Multi-Cloud World.” Retrieved 29 Nov 2022 from https://www.radware.com/getattachment/19954aa9-bb51-4f07-b695-84f5713a8302/Application-Security-In-A-Multi-Cloud-Report_2022_Report-V2.pdf.aspx

[2] Kaspersky. “What is WannaCry Ransomware?” Retrieved 29 Nov 2022 from https://usa.kaspersky.com/resource-center/threats/ransomware-wannacry

[3] Louis Columbus. VentureBeat. 20 Oct 2022. “Ransomware vulnerabilities soar as attackers look for easy targets.” Retrieved 30 Nov 2022 from https://venturebeat.com/security/ransomware-vulnerabilities-soar-as-attackers-look-for-easy-targets/

[4] International Committee of the Red Cross, 24 June 2022. Retrieved 29 Nov 2022 from https://www.icrc.org/en/document/cyber-attack-icrc-what-we-know

[5] James Coker. InfoSecurity Group. “Toyota Reveals Data Leak of 300,000 Customers.” Retrieved 29 Nov 2022 from https://www.infosecurity-magazine.com/news/toyota-data-leak-customers/

[6] Twitter. 5 Aug 2022. “An incident impacting some accounts and private information on Twitter.” Retrieved 29 Nov 2022 from https://privacy.twitter.com/en/blog/2022/an-issue-affecting-some-anonymous-accounts

[7] Trend Micro. 7 Apr 2022. “Cash App Suffers Data Breach Affecting 8.2M Customers.” Retrieved 29 Nov 2022 from https://news.trendmicro.com/2022/04/07/cash-app-data-breach/

[8] Sumeet Wadhwani. Spiceworks. 29 Nov 2022. “Meta Fined $275M for Failing to Protect the Data of 533M Facebook Users.” Retrieved 29 Nov 2022 from https://www.spiceworks.com/it-security/security-general/news/meta-275m-gdpr-privacy-fine/

[9] Andy Greenberg. WIRED. 13 Apr 2022. “Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems.” Retrieved 29 Nov 2022 from https://www.wired.com/story/pipedream-ics-malware/

[10] Robert Lee. Forrester Security & Risk Conference. 8 Nov 2022. Keynote Address: “ICS Threats: From Pipe Dream to PIPEDREAM.

[11] Renee Murphy and Allie Mellen. Forrester Security & Risk Conference. 8 Nov 2022. Keynote Address: “Securing the Future: Geopolitical Risk will Redefine Security Strategies for the Next Decade.”

[12] Joseph Blankenship (Forrester), Alla Valente (Forrester), Dr. Deanna D. Caputo (MITRE), Ryan Boyer (CISA). Forrester Security & Risk Conference. 9 Nov 2022. Keynote Panel Discussion: “Insider Risk Reduction Requires Two Parts Culture, One Part Security.”

[13] Laura Koetzle. Forrester Security & Risk Conference. 9 Nov 2022. Keynote Panel Discussion: “Take a Zero Trust Approach to Threat Prevention, Detection, and Response.”