At TNTMAX, cyber security training is in our DNA. We train our employees, subcontractors, and our clients to develop Cyber Security Awareness Intelligence (CSAI) so they can be the best defense against cybercrime. The ever increasing level of risk that threatens both companies and individuals becomes more sophisticated and more difficult to prevent all the time. Small- and medium-sized businesses, as well as individuals, are often less prepared for and typically more vulnerable to such risks, especially now that we use more cloud resources and many people are working remotely from home due to COVID-19. Because of these increased dangers, I want to talk about “Zero Trust” and introduce you to the best ways to protect yourself and your organization from rising cyber security threats. This post won’t teach you how to implement Zero Trust (ZT) but rather provide a light introduction to the concept behind Zero Trust (ZT). The goal is to outline the benefit of ZT when dealing with decentralized remote and cloud computing.
Zero Trust (ZT) – refers to an evolving set of network security paradigms that narrows defenses from wide network perimeters to individual resources. Its focus on protecting resources – rather than network segments – is a response to enterprise trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary. See NIST Special Publication (SP) 800-207.
Zero Trust Architecture (ZTA) – Zero Trust Architecture, addresses the core logical components that make up a zero-trust architecture (ZTA) network strategy. See NIST Special Publication (SP) 800-207.
CSAI – ZERO TRUST
Zero Trust is a complex new paradigm of computer security and it is the focus of governmental entities and enterprise companies that have the staff, budget and resources to implement, update and monitor. The reason I want to introduce it to you is because of the great concepts that are found in Zero-Trust Security (ZTS). ZTS introduces granular resource-based security versus fortified wall network-based security with implied trust. You need a strong well-protected network with firewall, intrusion detection and prevention system, but you also need to focus on your users and devices, especially now that many people are working remotely from home and using cloud applications and storage.
Below are a few ZTS nuggets to focus on. I will attach in the reference section of this post more in-depth information from NIST and/or you can contact TNTMAX for help implementing Zero Trust Architecture in your organization to address the rising risk in remote computing.
- Learn & Understand – With every new security concept and recommendation, we strongly recommend that you first learn and understand the requirements before you implement Zero Trust Security. This may seem obvious but sometimes it is important to state the obvious. Zero Trust is a big departure from standard network-centric security and is becoming a ‘must’ as we see more and more of our users working from home, away from our static corporate networks.
- Zero Trust is the new cyber security paradigm that moves network defenses from static, network-based perimeters to one that focuses on data, users, assets, and resources anywhere in the world. The goal of Zero Trust is to improve one’s information technology security posture and limit exposure to cyber security threats. One of the principles of Zero Trust is ‘ never trust, always verify.’
- Use Only Trusted Sources – Do not trust anything and perform your due diligence to ensure approval and trust. For example, if someone calls from AMEX to review a charge on your card, tell them you are going to hang up and call them back at a trusted number you know. Find the number for AMEX that is located on the back of the credit card or your monthly statement, call it and then review charge knowing it’s secure because you called a number you can trust.
- Due Diligence and Verification – If you receive a request to make a wire transfer from an email you received from the CEO of your company, do not trust the email. Call your manager and/or your CEO to confirm and verify the request is valid. Use multi-point verification and authorization process, use Zero Trust.
- No Implicit Trust – This is a key concept I want to touch on. It is one of the cornerstones of ZT and goes very deep. What I want you to remember is that you can no longer trust the computer/device that connects to your network because it has the correct credentials and you know the computer’s MAC address or source IP address. No more implicit trust. You must re-certify and authorize all devices using multiple touch points and verify and certify all data requests and accesses.
- Employees’ Home Network – Just because you trust your employees as they work from home does not mean you can trust their home computer, home network and who may be using their computer (i.e. kids playing and downloading games)
- Trusted Device – Provide each employee with a trusted and approved laptop with encrypted hard disk, secure profile with two factor authentication, corporate antivirus, firewall and VPN. Restrict all capabilities to add new software without authorization and approval from the company’s IT security team. Monitor the computer’s baseline security and perform all security updates and software updates approved by the company’s IT security team. Do not trust any aspect of the computer/device unless you verify, approve, and authorize all aspects of the device.
- Granular Security – Granular resource-based protection and security. Zero Trust focuses on protecting data and resources rather than network segments since users are working remotely and accessing corporate networks and connecting to the cloud.
- Protect Data – The goal of access control enforcement as granular as possible is to prevent unauthorized access to data and services.
- Protect Resources – To take this one step further, the word “resource” can be substituted for “data” so that ZT and ZTA are about resource access (e.g., printers, compute resources, Internet of Things [IoT] actuators, etc.) and not just data access.
- Corporate trusted devices – Provide your employees with corporate trusted and authorized firewalls, switches, printers and other devices to control all aspects of the employee’s home network. Apply Zero Trust to all resources.
- CSAI Training – Your work is never done. On-going training and yearly refresher courses of preventative techniques against phishing and other cyber-attacks must be part of your new security by design approach to email and computer security.
The fact to you read this whole post is proof you are actively looking to improve your security awareness and you’ve earned 1 point toward CSAI – Phishing Awareness! Keep up the good work, you are on the right path. Follow our blog as we post great material for you to review and help you increase you CSAI scores.
Frederic Farcy, President
National Institute of Standard and Technology (NIST) – Draft (2nd) Zero Trust Architecture 800-207 – https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft2.pdf