Security researchers are talking about attacks, that arise from credential stuffing to SQLi and DDoS. But now time has come to address these issues by a proper framework. This is to be done with a model which has been around quiet sometime the Zero Trust model.
The Zero Trust model replaces “trust, but verify” with “trust nothing, and trust no one.” Under Zero Trust, the network cuts off all access to network resources until it determines who the user is, and whether they’re authorized. Nothing, absolutely nothing, inside or outside of the network is trusted. Security architectures further support this approach by applying the concept of least privilege to the user and the resources they’re granted access to.
Organizations continue to suffer access related problems with their users and resources, such as ransomware or compromised servers and databases. Many security programs in place today automatically trust a user or device once it is on the network. This enables criminals to pivot, exfiltrate data, or install malicious applications.
Leveraging Zero Trust
According to data that was available at the time this report was written, 30% of applications being protected in Zero Trust architecture are SaaS applications. Akamai anticipates this number to increase over time, as more and more critical enterprise applications and services move to the cloud.
Organizations can leverage Zero Trust to address all cyber security issues. Zero Trust is also being used to bake security into the enterprise evolution and catering the needs of an organization that doesn’t have a centralized data center, but instead chooses to host some applications on-premise and others in the cloud. It’s also used to enable controlled access to network resources for users, customers, and business partners no matter where they are in the world.
Looking at data from Janrain covering the time frame of December 2017 through November 2019, it is found that customers are increasingly starting to adopt IAM/CIAM postures. These are the foundations on which Zero Trust is built.
The idea behind Zero Trust is to start building protections and security from the moment of registration onward. In some cases, the authentication of the user starts before the account can even be created, depending on the level of control needed.
The figure shows that, while some organizations and users will opt to authenticate with a social method before registration, the standard practice, registering via traditional means, is still the go-to method.
When it comes to logins, traditional logins (username and password) still account for the majority of access methods (74%), but Single Sign-On (SSO) and social are also active. Social login is actually the smallest traffic set. However, within that data, Facebook, Google, and Twitter are the top OAuth mechanisms being used to authenticate people. In other words, don’t expect to shut down your sign-up page any time soon.
*It isn’t just financial services; everyone is being targeted by criminals who use and abuse stolen credentials to fuel their criminal enterprises. However, the financial services industry is a major target for criminals because of the wealth of information that those organizations possess.
*One of the tools to fight this continued assault is Zero Trust. As adoption of this framework spreads, it will become more difficult for criminals to use passive attacks, like credential stuffing, to gain a foothold on a given network. It will be harder for them to applications (e.g., Azure, AWS).
As organizations move to adopt cloud-based applications and services, the Zero Trust framework becomes a vital part of the equation.
*The most success with Zero Trust comes from embracing the concept, and building your operations around it, which will include investments as needed. Zero Trust isn’t an easy thing to adapt to. It can take time, and legacy systems could cause some headaches at first. But evolving away from the notion of a perimeter defense is where the future is heading, because the world as we know it is quickly expanding and connecting everyone.
(Image Courtesy: www.logrhythm.com)