Home »  blog »  Having-zero-trust-is-a-good-thing---Shailendra-Shyam-Sahasrabudhe--Country-Manager--India--UAE-and-South-East-Asia--Cymulate-Ltd

Having zero trust is a good thing - Shailendra Shyam Sahasrabudhe, Country Manager, India, UAE and South East Asia, Cymulate Ltd

In March 2023, a threat actor with the alias 'Kernelware' posted 7.5 GB of HDB Financial Services' customer data to the hacker forum 'Breached.vc'. This data included 73 million entries of customer loan information from the financial company; a subsidiary of India's largest private bank, HDFC Bank. 

This same attacker had breached Acer Inc. a few days before; and leaked 160 GB worth of customer data to a threat actor forum site. The Taiwanese electronics company also had a previous run-in with threat actors when its post-sales systems in India were targeted and over 60GB of data was stolen.

In today's digital landscape, where cyber threats loom large and data breaches continue to make headlines, it has become imperative for companies to reassess their cybersecurity strategies. The traditional perimeter-based security approach, once considered sufficient, is no longer effective in defending against sophisticated attacks. 

In this rapidly evolving threat landscape, adopting a zero-trust security model has emerged as a critical method for organizations to protect their digital assets.

When Okta started its State of Zero Trust report in 2019, many organizations acknowledged that Zero Trust was important, but a mere 16% invested in these initiatives. In 2022, this changed dramatically. According to its State of Zero Trust Report 2022, 97% of survey respondents had a defined Zero Trust initiative in place or planned to implement one soon. 

Trust No One

Zero Trust is the idea that an organization should not extend trust to anything inside or outside its perimeters; according to Forrester Research analyst John Kindervag who proposed the theory in 2010. Recent cyberattacks have served as stark reminders of the importance of adopting a zero-trust approach. The ethos of this architecture is simple—never trust, simply verify. 

By leveraging this principle, an organization can verify the identity of - and secure - all users' access, including employees, partners, and contractors. Security Operations (SecOps) can detect and prevent a sophisticated spear-phishing attack, especially in the present time, when many have migrated to a cloud environment. Moreover, this granular level of scrutiny ensures that even if an attacker managed to breach one layer of defense, they would still be denied access to critical systems and data.

The core principle of the zero-trust security model is that no access attempt should be presumed safe or trusted by default. In practice, every access request, whether from within or outside the organization's network, must be validated and secured before granting access. Achieving this requires a comprehensive approach encompassing an organization's entire IT infrastructure and architecture –on-premises, remote, and within Cloud and SaaS platforms. This also requires that validation is performed regularly on the zero-trust controls themselves. Breach and Attack Simulation can be used to bypass validation and other security controls safely and automatically.  Doing so verifies that users cannot accidentally or purposefully violate the zero-trust protocols and gain access to resources in an unauthorized way.

Security at multiple levels

Implementing a zero-trust model entails deploying a range of tools and technologies. Identity and access management (IAM) solutions play a pivotal role by ensuring that users' identities are authenticated, and their access privileges are carefully managed. Organizations can add an extra layer of security by employing multifactor authentication, mitigating the risk of compromised credentials.

Micro-segmentation is another vital component of the zero-trust framework. By dividing a network into small, isolated segments, organizations can significantly limit the lateral movement of threat activity. Even if an attacker gains unauthorized access to one segment, they will find it extremely challenging to move laterally and reach critical assets.

Network access control (NAC) solutions are crucial in enforcing zero-trust principles. These solutions provide real-time visibility into all devices seeking network access; allowing organizations to authenticate, authorize, and implement security policies before granting entry.  By constantly monitoring and evaluating the security posture of devices, NAC solutions enable organizations to respond swiftly to any potential threats. This is essential as many companies rely not just on their on-premises workforce, with many employees working in a hybrid or remote environment, but also third-party contractors, vendors, and managed platforms. 

Regular security audits, vulnerability assessments, penetration testing, and breach and attack simulation for security control validation can provide further insights into the strength and resilience of an organization's security posture.  This includes presenting the zero-trust defenses with offensive activity to ensure that attempts to bypass and overcome the tools and solutions in place will fail and be reported.

Employee buy-in

Beyond the technical aspects, companies must communicate the benefits of a zero-trust approach to their internal workforce. They need to be told how a proactive approach can help detect and prevent a sophisticated spear-phishing attack. 

However, security can never come at the cost of usability or vice versa. Getting this balance right requires the whole-hearted support of the workforce, a workforce that may not have a high level of technical knowledge or sophistication.

Employees are an integral part of the security ecosystem, and their understanding and support are paramount to the success of zero-trust policies. Many recent cyberattack incidents have highlighted how attackers could infiltrate a network because of inadvertent errors by a worker rather than malicious intent. 

In just one example of this kind of incident, Uber suffered a data breach in December 2022, when a threat actor failed to connect to the ride-sharing company's network using one of its employee credentials because the multifactor authentication (MFA) blocked it out. While this sounds like a success of zero-trust methodologies, the attacker did not stop there. Using a technique known as “MFA Bombing,” the threat actor sent a flurry of login verification requests to the user’s phone, and when that did not trick the user, they contacted the user via WhatsApp posing as a security team employee. This combination proved effective, and the threat actor tricked the user into allowing the MFA request, granting the attacker VPN access to Uber’s systems. Once they were inside the network perimeter, the threat actor was able to then move around as the user without further verification.

While this sounds like a highly sophisticated plot to overcome Uber’s defenses, threat actors are routinely performing due diligence to determine who they should target, how they should target, and multiple methods they can use to target any organization they have set their sights on. MFA Bombing, spear- and whale-phishing, and other forms of user-based/user-involved attacks are on the rise.

To combat this trend, and as part of any zero-trust initiative, users must also be brought into the loop as active partners in security.  Training the users and testing that training regularly is the first step, but security teams must also work within the user community to create a two-way street of information and accessibility.  For example, leveraging Single Sign-On (SSO) tools where possible helps reduce the number of sign-in events a user must face, while still maintaining control over user activity and zero-trust.  Employee training about why controls are important – not simply a directive that they must be followed – is another valuable method to maintaining zero-trust initiative success.  Finally, business stakeholders must be involved in the entire zero-trust process. Business operations may not innately fall in line with zero-trust initiatives due to legacy systems in use, employee mobility, or any number of other factors. This requires alterations to the business process, and that requires that business stakeholders are on-board and incentivized to change the process to better support the initiative.

Collaborate to succeed

The attacks described in this article serve as a wake-up call for organizations and underscore the critical need for zero-trust policies to be put in place to defend themselves against such threats and protect their valuable assets. In doing so, organizations also help in preventing supply-chain attacks against their own customers in turn; this is a team sport that starts by defending the organization’s own systems.

Companies cannot afford to rely on outdated security paradigms such as the idea of a “walled garden” internal network in an era marked by relentless cyber threats. The evolution of Zero Trust has established it as a significant tool to protect digital assets, and recent successes in thwarting cyberattacks highlight its efficacy. 

Organizations can fortify their defenses by implementing a zero-trust security model, ensure that every access attempt (by both external and internal users and systems) is rigorously validated and secured, and safeguard their critical systems and data. With the right combination of technologies, strategies, and user acceptance, companies can establish a robust security posture and stay one step ahead of the ever-evolving threat landscape.