The discovery of the Log4j vulnerability in December 2021 is one of the more recent and prominent reminders of why cybersecurity teams need to implement a zero-trust security architecture.
Not that they should need reminders. Incidents are happening every day, and some of them — such as ransomware attacks that may impact virtually entire supply chains — make a lot of headlines. In the case of Log4j, a Java-based logging utility that’s part of the Apache Logging Services, security researchers found a zero-day security vulnerability involving arbitrary code execution.
This was no garden variety vulnerability. Security experts described the flaw as being one of the biggest and most critical discovered in recent years. And it provides a glaring example of how at-risk organizations can be. New software vulnerabilities are being uncovered all the time, and some of them can lead to serious security breaches and lost data.
As cybersecurity and IT leaders know all too well, the complexities of security have increased significantly in recent years. Not only are attacks becoming more sophisticated, but also cybercriminals are more organized than in the past, and in some cases well-financed by nation-states.
In addition, the attack vector has broadened considerably in recent years. More people are now working remotely, and in many cases, they are using their own devices and networks to access critical business data.
Furthermore, the use of cloud services and multi-cloud strategies continues to increase. Sometimes cloud deployments are not even on the radar of central IT and therefore not managed as other IT assets might be. Given the rise of cloud services, remote work and mobile environments, the concept of perimeter defense has been obliterated. There is no longer such a thing as a perimeter, or perimeter defense.
The necessity of zero trust
These developments provide good reasons for organizations to shift to a zero-trust model of cybersecurity. The concept is fairly simple: trust no user or device, and always verify. A successful zero trust approach considers three things: a user’s credentials, the data the user is trying to access and the device the individual is using.
By combining the principle of least privilege with a modern approach of contextual access, multi-factor authentication (MFA) and network access, organizations can maintain a more agile security model that is well suited for a cloud-heavy and mobile-centric environment.
The result of the zero-trust approach is that organizations can reduce their attack surface and ensure that sensitive data can only be accessed by those users who need it under approved, validated context. This serves to greatly reduce risk.
Traditional zero-trust practices have typically focused on network access and identity and access management (IAM) through single sign-on (SSO). With remote work now encompassing such a large portion of end-user access, however, device posture is increasingly important as devices act as the new perimeter in a perimeter-less world.
By adding device validation to their security protocol, enterprises can defend against criminals who steal credentials or devices and use them along with MFA to gain access to networks and data.
If a network environment is monitored for noncompliance or critical vulnerabilities, then securing the device is the last defense to having compromised sensitive data. This is why it’s so important to adopt a converged endpoint management solution as part of the zero-trust approach.
Here are some of the key components of a zero-trust practice that organizations should consider:
- Device compliance monitoring and enforcement. This confirms the security posture for devices and gives security teams the control to take action if something is not right.
- IAM. This provides authentication checks to confirm an individual’s identity and compares the user’s access against role-based rules.
- Network access. Organizations can control access to resources and network segments based on a user’s persona and the device being used.
Don’t neglect security fundamentals
Along with deploying the zero-trust approach, organizations should pay heed to security fundamentals. For example, they need to patch vulnerabilities as soon as they are identified. The Log4j development showed why that is important.
Patches should be installed and updated, but not in a haphazard way. Comprehensive patch-management programs should encompass all devices used in the organization that are connected to the internet and corporate networks.
Another good practice is to reassess all endpoints where systems are vulnerable to attacks. This includes conducting an audit of all those systems and devices that have administrative access to network systems, and an evaluation of the security protections on any sensors or other internet of things (IoT) devices tied to networks.
On a longer-term basis, companies need to reassess how they gather, store and categorize the growing volumes of data they are managing. That might mean segmenting data so that more stringent security controls are placed on access to the most sensitive data — such as personal information or intellectual property.
In addition, organizations need to be vigilant about using MFA and strong passwords. Networks have been compromised because hackers guessed users’ passwords, which suggests a need for policies that require more complex passwords or the use of MFA.
Users can be unintentionally careless when it comes to cybersecurity practices, so providing good training programs and running awareness campaigns are also good ideas to educate everyone in the organization. These programs should cover examples of phishing and other attacks, as well as social engineering techniques frequently used by bad actors to gain sensitive information or network access.
By deploying a zero-trust model and taking care of the cybersecurity “basics,” organizations can put themselves in a position to defend against the latest threats, including ransomware.
Security today requires more than simply managing identities and authenticating users. It needs to assume that anyone or anything trying to get into the network is an intruder — until proven otherwise.
Explore more zero-trust resources from Tanium to learn how to successfully implement this methodology at your organization.