In December 2020, the world’s CIOs got an object lesson in the importance of having zero trust security networks.
The historic SolarWinds hack exposed as many as 18,000 users in US government agencies to a massive data breach—all thanks to a Russian-made Trojan horse tacked onto the tail of a regular systems patch.
Sadly, this hack targeted the most security-conscious people in the network who regularly updated their software—CIOs and other IT professionals.
In response, the National Security Agency’s Cybersecurity Division issued a set of guidelines this spring encouraging widespread adoption of zero-trust security frameworks—protocols that assume a breach is occurring at all times, not just when password sign-ins occur. Zero trust means systems are constantly validating, requiring multifactor authentication, monitoring lateral movement, and employing next-generation endpoint security, among other tactics.
GDPR primes EU for widespread zero trust adoption.
While the Solar Winds attack is a wake-up call, zero trust is a security philosophy that could be reaching a tipping point in 2021. This has been driven by several market factors, including the General Data Privacy Regulations (GDPR) in Europe, which has imposed strict prescriptions for parsing out and protecting user data. And, of course, there’s the pandemic, which instantly normalized working from home. As the NSA said in its zero-trust guidance, “traditional perimeter-based network defenses with multiple layers of disjointed security technologies have proven themselves to be unable to meet the cybersecurity needs due to the current threat environment.”
Not surprisingly, a recent report by researchandmarkets.com predicts that the zero-trust security market will to grow from $19.6 billion in 2020 to $51.6 billion in 2026—an average growth rate of about 17.6 percent, year over year.
Businesses should implement these strategies quickly.
To bring their companies up to speed, the SDA recommends several mitigation strategies, including:
Privileged Access Management (PAM) solutions for credential management, and to create strong security identities for users. PAM allows you to implement multi-factor authentication systems that work better when employees are accessing your networks remotely. When passwords fail, that authentication service needs to work with tokens or tickets to reset the passwords.
Tiered administrative access for microsegmentation, which walls off your network, so users only have access to what they need to use, on a need-to-know basis.
Frequent authentication, so your security operation can continuously monitor users in real time, tracking their movement through your systems, but also offering constant visibility real time into a user’s ID, outpoint hardware type, operation system versions, patch levels, installed applications, user log-ins and more.
The investment in zero trust is something companies are working into their development cycles for new builds. Many SaaS companies are offering retrofitting services for companies looking to layer on zero trust quickly. Will 2021 be the year for Zero Trust Security? For an increasing number of organizations, that answer is yes. For more resources on implementing zero trust, check out the latest technical advisory resources from NSA.