Before the cloud, data was secured at the perimeter of applications and networks. Everything inside the perimeter was trusted, and everything outside the perimeter was not. But when the cloud moved data off premises to the internet, it eliminated physical borders. Suddenly, the perimeter-based security philosophy was upended, just as the cloud made compromise larger in scale, and more likely.
Years after the death of the data center, 2019 was a reckoning in the importance of identity and access management. This mentality was present at three large cybersecurity conferences, and evident in some attacks our security team observed on clients.
RSA Kicked off the Year with Zero Trust
RSA President Rohit Ghai and Cybersecurity Initiative Senior Fellow Niloofar Razi Howe imagined the evolution of trust over the next 30 years in one of the keynote sessions. They spoke at length about the importance of security automation, and how humans and AI would figure prominently in that process. But most importantly, they made clear that Zero Trust would be talked about beyond these conference halls.
Zero Trust is a cybersecurity principle that uses identity and authentication to protect data in the cloud. It unifies Identity and Access Management (IAM) with network security to grant data access based on who the user is, rather than where they are.
Following the Zero Trust philosophy means not automatically trusting coworkers and partners like they would have in the past. No sender, link, attachment, and request over online channels is trusted, each receiving the same security scrutiny. Multi-Factor Authentication (MFA) is an essential, and it’s understood that any online request for sensitive data or money transfers will be confirmed offline. More broadly, it involves rethinking networks, data, user access, security practitioners, analytics, and automation.
Gartner Built on Zero Trust with CARTA
When it was time for the Gartner Security & Risk Management Summit at the start of June, most professionals were very familiar with Zero Trust, and would agree that identity is the new perimeter. But what about the application of Zero Trust? At the Summit, Gartner defined the scope of Zero Trust in the cybersecurity market.
When Gartner revealed their top security projects for 2019, Zero Trust made up half of these action items.
The five most important Zero Trust projects are:
- Cloud Access Security Broker (CASB) tools provide visibility, data security, threat protection, and compliance
- Privileged access management (PAM) grants data access privileges based on a user’s role and responsibilities at an organization. Accounts with excessive or unused administrative power are primary targets of attackers who want to change configurations. PAM goes beyond MFA to reduce the scope of accounts with privileges and govern privileged activity.
- Cloud Security Posture Management (CSPM) uses APIs to constantly monitor and assess compliance and risk across the variety of cloud services in use at an organization. CASB vendors with CSPM capabilities are featured vendors in this space because they have experience in identifying malware, suspicious logins, and unusual user behavior.
- Business Email Compromise (BEC) attacks use deceptive social engineering techniques to get a user to do something they shouldn’t — like divulge their Microsoft account credentials or wire money to a bank. This year, Gartner introduced a new category to address this form of identity deception in cloud-based email. Neil Wynne and Peter Firstbrook refer this new class of technology as “Cloud Email Security Supplements.” CESSs protect against the threats that Secure Email Gateways (SEGs) typically miss–advanced persistent threats, business email compromise (BEC) phishing, account takeover, and intradomain insider attacks.
- Continuous Adaptive Risk and Trust Assessment (CARTA)-Inspired Vulnerability Management is similar to implementing a Zero Trust philosophy. In this model, all systems and devices are considered potentially compromised and their behaviors are continuously assessed for risk and trust. Gartner noted that Zero Trust is the first step on the road to the CARTA framework, where observations continue after log-ins, and re-assessed regularly. In this way, trust can be initially established on identity, but can also be lost based on the pattern of behavior.
Gartner VP Analyst Jay Heiser poignantly said that “the biggest cause of security failure is phishing,” and “it doesn’t matter where your server is or application is... if the phisher can gain access to the authentication material, they will gain access to that service.” These security projects and the intersection of CARTA and Zero Trust should ensure that the risk of that happening is greatly reduced.
Black Hat, End-to-End Programming, and Zero Trust
In one Black Hat session Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD), the Principal Program Manager at Microsoft and a CTO talked about the importance of leveraging identity to secure cloud assets. They advocated for using Active Directories to block access based on location, application, and risk. This was in line with the existing conversation on Zero Trust.
Where does Zero Trust belong in the software development cycle? Black Hat had an answer for this. With no shortage of developers, but a big shortage of security professionals, it’s problematic that security is mainly a SecOps responsibility when developers could be playing more of a role in the process. If Zero Trust AI is integrated into the daily coding routine of developers, then preventative and remedial solutions carry less of the security load.
Security starts with developers, but it’s everyone’s job. When identity management uses the roles of everyone at an organization to intelligently check the extent of everyone’s jobs, then data can be more secure. Developers, users, and SecOps professionals should all align on this.
Attack Trends: Don’t Trust Your Partners
2019 brought new, advanced attack vectors. In the past, partner communications were not an object of security scrutiny. But as hackers make strides in social engineering and BEC, inherently trusting partners is a big mistake.
Even trusting emails from enterprise platforms like SalesForce can be a costly decision. Avanan saw hackers break into Salesforce Email Studio so they could mass-send phishing emails with fake invoices to partners and customers of the compromised account. Hackers also managed to compromise the public website of the sender’s company and inject two malicious URL paths. In this case, neither the sender nor the domain could be trusted.
What about trusting email threads where you’ve previously responded to trusted users? Not safe either. Avanan saw hackers use compromised email accounts to respond to existing threads between partners. Even if the victim organization knew what was going on and changed their password, it didn’t matter. By then, the hacker had already moved all existing emails to a server. With these copies of legitimate emails at their disposal, they’d add “updated agenda” to routine subject lines like “Compliance Meeting Next Week: Updated Agenda” and send them to victims using a spoofed sender and domain name.
To overcome the risk presented by partners, organizations should enumerate and examine the third-party domains invoked in an organization’s own applications.
When identity is the final frontier for access, authentication is important. Naturally, Zero Trust has changed security technology and the way cybersecurity players respond to threats.
It’s reshaping the way that vendors engineer and market their products, while encouraging them to align toward a common goal. So far, it’s touched endpoint security, network security, Managed Security Service Providers (MSSPs), Identity as a Service (IDaaS)/ cloud SSO, and email security. More change is to be expected as Zero Trust emphasizes identity, authentication directories, and least privilege policies to tighten data access.
Hackers don’t break in anymore. Now, they just log in.