Traditional IT network security is based on the castle-and-moat concept. In castle-and-moat security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. This strategy focuses on securing the castle (or sensitive system) from external threats while placing minimal controls on trusted insiders. The core principal is that internal users are trusted, while external parties represent a more dangerous and damaging threat.
Unfortunately, limited controls on insider accounts have resulted in numerous breaches, such as when insiders leverage existing privileges to exfiltrate data or when an external attacker gains access to an insider account (possibly through phishing) and leverages those privileges for malicious activities. It might seem like employees (or internal users) should be the most trusted users accessing a network or system. But the insider risk is real and needs to be managed as the damage that could be caused can be as costly as an external attack.
As a result, organizations are applying similar controls to insiders that were once limited to external parties. Concept of Zero trust is gaining popularity. Zero trust assumes that no user is trusted. Users of all types — internal, external, executive, third party, high-clearance or entry-level, human or machine — are considered a possible threat. And all the actions those users can perform and the resources the users can access on a network should be limited by default.
Zero Trust explained with real life example
These days almost every organization is allowing their employees to work from home. John is an employee of an fictitious organization ABC Corp. John is an old timer working with ABC Corp for more than 15 years and one holding an executive position. He has access to various key applications and resources that he can access using company provided laptop and his personal mobile. Committed to provide best employee experience, ABC Corp has removed frictions in security controls.
In the pandemic days, John is very concerned about COVID-19 and is wondering about how to get on the vaccination list. Unexpectedly, John gets an text message to join COVID-19 vaccination list immediately and despite of a warning generated from mobile device management software, he downloads an application from the link provided in the message. John being an executive and a trusted employee is allowed to download and install this application on his mobile device. John aware that the text was a phishing attack and application that he installed is a keystroke logger. Ignoring the warning and downloading this malicious application triggers a device quarantine policy and John’s mobile device gets blocked and when he tries to sign in his access is denied. Due to this action, John’s trust level decreases triggering ABC Corp to add frictions to his work operations. This is where “Never Trust & Always Verify” aspect of Zero Trust comes into play. Because of the keystroke logger on John’s mobile, his login credentials are captured by the attacker. Now the attacker tries to use these credentials and sign into ABC Corp’s network. Now because the attacker’s device is not registered, he is coming form a different geo location and his behaviour trails like mouse movements and keyboard strokes do not match John, he is not allowed to sign in. ABC Corp’s protection policies have proactively blocked the attacker from using stollen credentials and disabled John’s accounts because of his decreased level of trust.
How to Accomplish Internal Access Security
While employees are mostly well behaved, breaches and other attacks may still occur by accident due to employee negligence or phishing. Given these risks, it is best to consider controls to minimize the breadth and scope a breach can take.
The zero trust security help reduce organizational risks. While zero trust is typically associated with protecting against outside threats, it’s clear that the principles can and should align with insider security measures as well.
• Multi-factor authentication (MFA) helps verify the identity of the user who’s trying to access the system. Once an employee enters their password into a system (i.e., something the employee knows), a second verification is required to ensure their identity, often using something the employee has, such as a phone or token.
• Least privileged access involves restricting access down to the most granular level, meaning employees should have access only to the systems, servers or applications needed to do their job and nothing more. Least privileged access is accomplished using privileged access management (PAM) or identity access management (IAM) systems that help manage each employee’s access permissions.
• Strong credentials and protecting login information is an essential step in securing internal access. Also, human error and leaked credentials tend to go hand-in-hand — most of the time, employees won’t know that their passwords have been stolen until it’s too late. Hence organizations need implement password policies enforcing strong passwords that should be changed periodically.
• Conducting periodic access reviews and access certifications is another best practise. Better is to implement an access review tool that can continuously review access rights, monitor employee access and flag inappropriate/incorrect access attempts, validate and revoke access that are not required. These solutions help streamline effective access reviews and make it even easier to spot invalid access attempts that could cause internal disruption.
To sum-up, while aiming to prevent outsider attacks, don’t discount insider threats that could come from your employees. Controlling internal access with zero can help prevent breaches or reduce their extent.