The Covid-19 pandemic has led to many changes in our working and personal lives. Some of these measures may prove to be temporary, others may have to persist for some time longer.
Many people have had to adopt new or make more use of unfamiliar technologies just to keep in touch with others. Technology (especially visual mediums) have replaced face to face meetings. It has partially replaced the human touch for people who are displaced from work and extended family. For them the online presence is comforting, aids stability, certainty and continuity in a world that appears to have changed.
The human connection in all of these circumstances is reliant on the technology connection which has allowed considerably more people to keep on working, keeping businesses open, allowing flexibility and connection to remote resources and opening up opportunities.
The pandemic is accelerating network changes that have been ongoing, and re-exposes many of the vulnerabilities that we have known about for years. It is forcing change and innovation, placing companies and individuals in a “sink or swim” situation, and this is causing a great deal of uncertainty about how to secure distributed enterprises.
Users, Devices and Services
The longer term impacts of the coronavirus mean that people will continue to distance, working from home, giving location flexibility to work from wherever they feel safest, regardless of distance. This comes with some added security complications of its own. The already porous security perimeter set by companies or individuals becomes invisible, and the maintenance and updating of home devices for security is more fragmented and difficult. Remote communications means that technology needs to become more usable and collaborative, to enable work on tasks together, in isolation.
The answer is to shift the focus of security towards People, Devices and Services, the three things we know can be used to provide strong assurances of identity, rather than relying on the network to pass tokens and delegate authentication that allow “Run As” unverified users. Relying on the network to build strong security is not the right thing to do when it is the network itself that is untrusted.
Person Centric Security
Knowing who is accessing the services is one part of building a strong security posture, using a single directory of users, with the groups and roles, and strong authentication of credentials.
Authorisation needs to be pro-active and tailored towards the users. Processes to accommodate Joiners, Movers and Leavers to the organisation must be defined.
To prevent the credential stuffing of compromised logins, systems must be strengthened to include biometric, multi factor, or zero knowledge proofs to prove identity and access. Tamper-proof systems provide the integrity of knowing who is inside the trust boundary. This can be achieved by having a single source directory that manages the permissions for permitted users to access resources.
Device Centric Security
Another key indicator for intrusion is the device which is trying to gain access to the data via the network.
Depending on the device type and the inbuilt security features it is possible to define the confidence that the correct user on the correct device is accessing the services that they require, whilst excluding or challenging any unknown or new devices trying to gain access. Authentication of user and device identity for connections to the network is essential.
Confirming the compliance of devices to the policies of the organisation is one way in which it is possible to verify and maintain confidence levels in device health and trustworthiness.
Service (Information) Centric Security
In knowledge based work, and in a knowledge based society, it is access to information that provides the strongest motivation for attackers and organisations alike. This information provided by services unlocks the benefits in both the online and real worlds. Information is the currency of digital business, innovation and interaction, and not all data should be publicly available. Therefore, confidentiality in service sharing is required to promote trust in the system.
Providing data via service based contracts where services are configured to native security functions aids this goal. This includes enforcing strong authentication mechanisms on services and disabling legacy protocols that don’t support modern authentication.
Services also need to be kept up-to-date with the latest software patches and you need to be able to determine the version and patch level of the service you are using, and patches fixing vulnerabilities should applied at the earliest opportunity.
The health of your services needs to be constantly monitored, an unexpected change in state may indicate an unauthorised change or malicious activity. This may include proactive monitoring of the geo-location, hours and levels of access to resources to prevent unauthorised users compromising systems.
Zero Trust Summary
Moving towards zero trust means that secured data can then only be decrypted within a correctly configured trusted execution platform that ensures that only authorised and trusted users can access the data from trustworthy devices via dependable and reliably configured services. In this way it works around the intricacies and failings of the network centric model of security implementation.
Computers know and manage capability very well, but are unable to fully recognise the nuanced human world of context, personal integrity and benevolence. To apply the correct context details, zero trust security services “wrap” data in metadata that includes context, encryption, access and authorisation details.
The idea of zero trust is not that businesses can do without trust, as all businesses need to exchange and utilise data to further their goals. Zero trust is a way of combining the trust-in-technology relationship of computers as predictable and trustworthy partners with the contexts and values of human partners. Businesses, groups, supply chains and partnerships embed the cultural and other norms into services that help these real world collaborations work.
Providing trustworthy computing and trusted data execution does away with the traditional network boundaries of protection, but extends this to supply privacy and security protections to the information regardless of location and platform.
Zero Trust does not presuppose the existence of any trust relationship between the providers and recipients of information, but promotes the growth of trust by assessing the confidence levels in users, devices and services whilst respecting the contexts within which it is shared.
The SABSA Attributors Blog: https://sabsa.org/the-attributers-blog-zero-trusted/
NCSC Principles for implementing Zero Trust: https://github.com/ukncsc/zero-trust-architecture/