Compromised Identities and The Importance of a Zero Trust Strategy

Compromised Identities

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Joseph Carson of Delinea breaks down the threat of compromised identities and the importance of implementing a zero trust strategy.

Premium ContentAlmost everything we encounter each day is computerized in some way, increasing our risks of a cyber-attack. Connecting to the internet, whether it’s through an enterprise computer system, an app on a phone, or performing a typical transaction in a store, opens the possibility of a malicious hacker stealing data.

Cyber-crime is a big business, and in response, cybersecurity is becoming an increasing focus of governments and organizations on a global scale. Without it, organizations are at risk of significant financial and reputational damage. Unfortunately, one of the greatest risks comes from within. Insiders play a massive role in the protection of organizations of all sizes and types. Looking back on some of the most high-profile attacks of the last year revealed a common thread– compromised identities.

The Risk from Inside Your Company

When a massive security breach makes headlines, it often involves bad actors from foreign countries or a “perfect storm” of technological failures and malicious hackers acting opportunistically. These stories make it seem like “it wouldn’t happen to me.” But it can, and it most likely already has. The high-profile SolarWinds breach is just one example. At first, the breach seems to be the result of calculated moves from sophisticated foreign actors. Upon deeper investigation, however, it appears to have started with compromised credentials and routine software updates. The hack was orchestrated in a specific manner. The victims had to download a compromised software update and deployed it. Then, the compromised network needed to connect to the internet to allow the malicious hackers to communicate with and control the servers.

SolarWinds isn’t an outlier. The Colonial Pipeline attack was rooted in stolen credentials from an inactive account. All it took was one stolen password, and the malicious hackers disrupted fuel supplies to the U.S Southeast, crippling key conduits delivering fuel from Gulf Coast refineries to major East Coast markets. With Colonial Pipeline, multi-factor authentication could’ve reduced the risks or made the security incident more difficult. If the attacker had to verify their identity using multi-factor authentication, it would have been more challenging to move through the network so easily and cause so much damage. Basic cybersecurity was not enforced in these instances, but the common denominator is still people. And people are at the core of all businesses of all sizes and industries. Any of them have the potential to become a risk. Attackers are always looking for ways to abuse our trust, and we must explore ways that continuously verifies and validates trust at all times.

These are the primary types of insider risks and errors:

  • Human Error: Human error is a major factor in breaches. Lost devices, confidential data sent via an insecure network, misaddressed emails, and other minor mistakes can end up costing a business in financial and reputational damage.
  • Leak Passwords and Malicious Intent: Human error is one thing, since the employees aren’t actively trying to destroy the system. Malicious insiders are a different story – they leak passwords with the intent to harm or damage the company by selling data or intelligence. However, malicious insiders tend to be low, but the impact is high.
  • Stolen Identities: Cybercriminals often steal identities to gain access. This may be done by compromising an employee account through phishing attacks or malware or possibly with stolen credentials. In either case, attackers can increase privileges within a system, leading them to the information they’re after.

The scariest part of insider risks is that the activity comes from trusted sources within trusted accounts or systems, so it may not be immediately detected by procedures or technologies. Attackers can also erase any evidence of their activities to complicate forensic investigations. If this sounds like the “perfect crime,” it is. Restrictive security policies may be effective at preventing some cyber-crime, but they leave vulnerability with compromised identities and inhibit productivity and innovation.

Implementing a Zero Trust Strategy

Implementing stringent protocols and technologies to address cybersecurity is a good start, but broader initiatives like a zero-trust architecture are essential to balance security with a positive user experience. A zero trust strategy must also include a zero friction security approach to get more employees to use security.

Instead of assuming everything is trusted within a company network, the zero trust model assumes a breach and verifies each request as though it came from an untrusted source, no matter where it originated or the application or data it accesses. “Never trust, always verify” is the guiding adage. The zero trust model requires that all users within the network be authenticated, authorized, and validated before gaining access to data or applications. Microsegmentation and least privilege access minimize lateral movement in the network, and analytics are used to detect and respond to threats in real-time.

It relies on seven guiding principles:

  • Evolving perimeter: Managing and defending a perimeter isn’t the old metaphor of a castle wall anymore. Cloud networks and remote workforces have made this traditional model impractical, and zero trust is a strategy to integrate security throughout the network. Mitigating risk can still take place at the perimeter level, however.
  • Verification and authentication: All users should be authenticated and verified based on available information, including location, user identity, service or workload, and more.
  • Principle of least privileged access: user access is limited with privileged access, which is just-in-time and just-enough. Users are only given the minimum access they need to perform a task and only for the time they need to complete it. Once it’s finished, privilege is revoked.
  • Assume a breach: Zero trust minimizes a breach’s “blast radius” and segments access to limit damage. Analytics can be used to gain visibility, detect threats, and improve defenses.
  • Zero inherent trust: As the name implies, zero trust architecture assumes nefarious intent until otherwise proven. All service and application requests must be verified at tall network levels.
  • Workforce, workplace, workload: Workforce means establishing trust levels of users or devices to determine access privileges. Workplace means implementing trust-based access control on networks. Workload means preventing unauthorized access within the segmented networks, no matter where they’re hosted.
  • Continuous trust verification: Zero trust requires users to establish trust by verifying their identity using various means, including device location and multi-factor authentication. It enforces the least privileged access to networks and applications.

Zero trust encompasses several defense areas, including:

  • Identities: Each identity is verified and secured with authentication and authorization.
  • Endpoints: Before access is granted, compliance and health status must be verified.
  • Apps: Appropriate in-app permissions, gated access based on analytics, and monitored and controlled user actions limit app vulnerabilities.
  • Data: Data-driven protection takes priority over perimeter-based protection with restricted access and encryption along with a strong backup strategy.
  • Infrastructure: Risky activities are automatically blocked and flagged, and least privileged access principles limit compromised identities.
  • Network: No devices are trusted for simply being on the internal network. Access is limited, communications are encrypted, and micro-segmentation prevents lateral movements through the network.

Protect Yourself from Internal Risks

Zero trust isn’t new, but it’s more relevant than ever. Businesses are collecting more and more data stored in the cloud, workforces are distributed across the globe, and the traditional network perimeter isn’t good enough. Cyber-criminals know the fast track to sensitive data is through compromised identities, and the best way to protect these assets is with least privileged access and the principles of a zero trust model.

Joseph Carson
Follow Joe