A CFO Guide to ‘Zero Trust’ Cybersecurity

As the boundaries of corporate networks become hazier, a new strategy makes stopping cyberattacks more clear.

Nowadays, businesses invest a lot of time, money, and effort in developing trust with their many stakeholders—except for those who access their computer networks. Defeating cyber attackers is the aim, especially in light of their increasing sophistication. And to do that, internal networks must be cleared of implicit trust.

To get there, a "Zero Trust" security architecture is replacing the well-known "trust, but verify" approach with "never trust, always verify," starting with the premise that all network communication, regardless of its provenance, may be harmful. The objectives are to limit network access for all users and devices, implement security controls that conceal apps that the user is not obliged to use, and authenticate and constantly verify identities. For all network connections to corporate applications and data, whether they are hosted locally or in the cloud, the ultimate goal is to impose a risk-based and contextually aware access control posture.

The castle-and-moat strategy, which emphasizes reinforcing the perimeter to prevent outsiders from obtaining business data while implicitly trusting insiders, is drastically changed by the zero trust idea. IT infrastructures used to have well-defined perimeters. But due to changing business models, altering labor demographics, and sophisticated and hyper-connected IT infrastructures, those lines have become increasingly hazy. With the expansion of endpoints to include mobile devices, bring your own device (BYOD) technologies, and a profusion of web-enabled smart gadgets, businesses have moved their applications from data centers to the public cloud (e.g., Internet of Things [ IoT]). The contemporary technological ecosphere can appear to be dangerously pervasive and far from contained.

The potential costs of not investing in Zero Trust can be calculated by CFOs. According to a recent survey, the average cost of a data breach has risen to $4.24 million, up almost 10% from the previous year. That cost increased to $4.96 million in cases where more remote employment was a contributing factor. High-profile ransomware threats have brought attention to the costly reputational—and possibly legal—repercussions of a cyber breach. These threats essentially lock users out of their own systems and demand exorbitant fees before providing them with the key (or not). Infrastructures used in the supply chain have also been a target of third-party software and service providers. Additionally, it's possible that the epidemic has made finance directors more conscious of the expense of company interruptions, and the requirement to outfit a remote workforce has underlined the have to update their skills for providing secure remote access.

Trust Issues

For instance, finance executives could choose to include updating their security model in a larger transformation initiative they are currently driving or co-leading (42% of CFOs, according to Deloitte's CFO SignalsTM poll for the second quarter of 2021). And the security architecture needs to change to reflect this change for the numerous companies that provide a hybrid work style.

In the past, well-built firewalls were enough to keep intruders away. Companies increasingly require cutting-edge defenses to thwart attackers coming from a variety of endpoints, such as employee devices and IoT-enabled technologies. In addition to managing and securing traditional infrastructures, businesses also need to manage and secure hybrid and multi-cloud environments. This requires a lot of operational overhead, complexity, and resource and skill shortages.

By utilizing a variety of technologies and governance procedures to address an ever-changing risk landscape, Zero Trust, which is both a methodology and a mentality, can assist in safeguarding an IT ecosystem that is becoming more and more complex.

Any connection request to a business system or network must be seen as a breach, which is the idea behind the term "Zero Trust." Traditionally, remote users connected to a virtual private network to acquire access (VPN). They had a free pass to go wherever on the network thanks to their given IP address. By exploiting system flaws and compromised credentials, malicious attackers, for example, may be able to use this unrestricted access to move laterally throughout the network in an effort to access sensitive data or crucial systems. In contrast, Zero Trust Network Use (ZTNA) uses security restrictions to only expose the apps a user actually needs to access. This prevents anyone from investigating any areas of the network to which they do not have access.

Additionally, network access for the user may be evaluated and dynamically updated in response to altering external factors or user behavior (e.g., detection of malware on the endpoint may result in loss of network access or infrequently accessed applications may require additional step-up authentication). A ZTNA solution's main objectives are to uphold the "least privilege" principle and limit the scope of any future cyberattacks.

Companies should have a clear knowledge of the assets they need to defend before embarking on a transformation to Zero Trust. This includes knowing where these assets are located, who should have access to them, and under what circumstances. In addition, they should decide which individuals and devices should have access rights to the data in question, as well as the separate classifications they wish to utilize, the environmental factors that affect access. A ZTNA solution should be developed to block an access request if it appears suspicious.

Pillar Talk

It is often necessary to deconstruct the IT security domains of the firm into their fundamental components before implementing Zero Trust. CFOs and other business leaders might wish to examine the seven Zero Trust domains that support IT security, prioritize them, and outline a strategy for progressing them up the maturity model rather than even attempting to implement Zero Trust across the entire business. Users and applications should only be able to access the information they absolutely require as "least privilege" access is enforced by maturing Zero Trust capabilities using a risk-based methodology.

The seven Zero Trust domains and their corresponding descriptions within the framework's context are listed below.

• Identities serve as the new perimeter and are the core component of any Zero Trust architecture. Utilize streamlined authentication and access management to centralize authentication and authorization so that your workers can swiftly and securely access corporate resources.
• Workloads are applications or services being accessed by users—whether they are hosted on legacy infrastructure or in cloud environments. They can be finely hardened, separated, and monitored, with risk-based adaptive actions like access restrictions or upload uploads being blocked for particular apps.
• Data should be at the core of an effective Zero Trust strategy. Sensitive data should be protected with advanced data detection, encryption, and loss-prevention tools in place while it is in transit over the network, at rest when stored in the cloud, or on-premises.
• Networks carry traffic between users, devices, and applications, with controls that segment (block unintended network communications), monitor, and analyze activity, operating on the assumption that all network connection requests are inherently untrustworthy.
• Devices can entail managed/known types as well as unmanaged (e.g., BYOD) and smart devices (e.g., IoT) that connect to an organization’s enterprise assets. The identity of each device, the user logged in, and other contextual signals should be taken into consideration to inform risk-based adaptive access decisions (for example, what applications that user frequently uses) to catch anomalies that could indicate a potential intruder. Devices should be continuously assessed for risks and threats.
• Telemetry and analytics collects data from relevant security controls into a centralized monitoring system for event correlation and advanced analysis that can detect suspicious and potentially malicious behaviors. In order to provide a threat-driven security posture for the enterprise, threat intelligence should also be included.
• Automation and orchestration enables a more proactive security posture by automating detection, prevention, and response actions through integrated security controls. Automation of investigative work in response to a never-ending stream of security alarms can ultimately increase the productivity of security operations. In order to not only detect threats but also take action to isolate and neutralize them, the integration of the organization's security systems enables the orchestration of pre-defined incident response actions in close to real-time.

?

For more than 20 years, Jeffrey has been defending business owners and their assets from cyber criminals. To speak with an expert security technician, contact RCS Professional Services or visit our website www.rcsprofessional.com to learn how we can help you.

Sources: https://www2.deloitte.com/us/en/pages/finance/articles/zero-trust-in-the-face-of-escalating-cyber-attacks.html?id=us:2el:3dp:wsjspon:awa:WSJCFO:2021:WSJFY22

https://newsroom.ibm.com/2021-07-28-IBM-Report-Cost-of-a-Data-Breach-Hits-Record-High-During-Pandemic

https://www2.deloitte.com/us/en/pages/finance/articles/cfos-raise-their-expectations-for-growth-across-key-metrics.html?id=us:2el:3dp:wsjspon:awa:WSJCFO:2021:WSJFY22