The consolidation of remote working and the rise of cloud services, driven by the pandemic, have blurred the security perimeter of organizations. This new landscape has given way to multi-cloud environments, which combine different providers, and hybrid clouds that combine public and private cloud. It is a scenario that is much more complex to manage and protect with traditional tools and opens more doors to cybercriminals. In the face of the growing and unstoppable cybersecurity risk, the Zero Trust strategy, in which zero trust is imposed, is spreading as one of the best defenses. It involves requiring continuous monitoring of users, transactions and devices, both internal and external to the corporate network.
The new episode of Cuatroochenta's podcast 'Zero Trust. 100% verified security' focuses on analyzing the benefits and limitations of adopting a zero-trust security architecture. How are professional environments secured? Is it difficult to adopt and exploit a continuous user, access and network control strategy? What are the implications for an organization? These are some of the questions we address in Cuidado con las macros ocultas with cybersecurity expert, professional training professor and CEO of AllPentesting, Eduardo Sánchez Toril, the CISO of the Universitat Oberta de Catalunya, Clara Beleña, and the Country Manager of Sofistic in Spain, Juan Carlos García.
The basic pillars of Zero Trust
Sánchez Toril highlights that in addition to ransomware attacks or exploits of zero-day vulnerabilities, there are incidents related to cryptocurrency mining, social engineering with phishing as the main attack or those known as “man in the middle”, in which cybercriminals sneak into transactions between organizations and customers. According to him, these attacks are a more silent type, but they are still generating significant profits for cybercriminals. He also emphasizes that the Zero Trust strategy, which involves not trusting anyone, not even the user within the organization, is a good approach to cybersecurity.
How to deploy a zero-trust model?
This new paradigm combines advanced control methods such as multi-factor authentication, identity protection, next-generation endpoint security and robust cloud security to verify the identity of every user and system. To succeed in implementing a Zero Trust architecture, organizations must start from the premise that every connection and endpoint is a threat, whether external or internal.
2. Principle of least privilege
The principle of least privilege is a key principle in protecting data and managing information for companies and, although it is not easy, doing so with a Zero Trust perspective increases security guarantees. The key is to "flatten the curve between the permissions granted and those used by the user", as Juan David Díaz, solutions architect at Sofistic Colombia, pointed out during the BSides Panama 2023 conference. In practice, it is a matter of limiting access and privileges to the maximum, so that the users of an organization can only access the information that is essential for the development of their activity.
«It is not necessary for the entire organization to have access to all resources. The ideal is to provide access according to needs so that employees have access to the information and systems required to carry out their job responsibilities and, in the case of having to access critical information or systems, it should be on demand and with a temporary basis.»
Especially if they are used to sharing a single server and having access to everything. But it must be considered that the user is the weakest link and that, with these more flexible models, the risk of data leakage increases. In the end, not only does it become a security incident, but it can also have an economic impact on the company, in addition to affecting brand reputation, loss of customers and legal liability, as Sofistic's Country Manager noted at the 9th MESIASCibereputation Forum Conference, how to protect the brand against cyber-attacks.
3. Device control
If protecting information is important for an organization, it is also important to know from where it is being accessed and consumed. In this sense, we can talk about three types of devices that interact, in one way or another, with companies:
Faced with this complex web of device types, it is essential for the organization to establish clear security policies. In the case of corporate devices, there are organizations that are committed to imposing many restrictions on both browsing and connections. However, it should be borne in mind that, in the case of non-corporate computers or mobiles used for work, even if minimum security guidelines are established, there is also the risk of not knowing exactly who is using them. In this regard, experts advocate training workers in good information security practices.
4. Network segmentation
Assuming that a network is not unbreakable and that the attack surface is much larger than the defensive one, organizations must minimize the radius of exposure so that, in the event of an intrusion, propagation is prevented and lateral movements of threats are reduced. This involves segmenting the network so that each module has its own security policies and is easier to block in the event of unauthorized access. In addition, this also limits the damage that can be caused by an attacker who gains access to one part of the network, as they will be isolated from other parts.
This perimeter protection is precisely what enabled the Universitat Oberta de Catalunya (UOC), with more than 87,000 online students, to stop the spread of the ransomware attack it suffered in January 2022, right in the middle of the Christmas vacations, The incident, which affected 5 of the organization's 600 servers, blocked its virtual campus for 24 hours. UOC's CISO, Clara Beleña, explains in the podcast how their perimeter protection strategy helped them to contain the attack and minimize the impact on their systems and students.
«In addition to 24x7 monitoring, it is key to have aparameterize well-parameterized network and to segment groups of servers to minimize the risk of lateral movements. This prevents attackers from jumping from one server to another and distributing malware throughout the network»
5. Ability to analyze and visualize the environment
It is crucial for companies to possess robust detection systems for devices, network connections and Internet traffic analysis. These systems should be complemented by monitoring through a Security Operations Center (SOC) service that allows any incident to be identified and contained in less time.
To have this vision and control of the entire environment, it is very useful to use artificial intelligence tools to analyze and record the behavioral profiles of all users who connect within the company through artificial intelligence tools. Thanks to thesethis type of solutions, a more agile and precise response can be given to the detection of unusual patterns or possible threats. Although the adoption of this type of strategy goes beyond the implementation of a technology, machine learning with data analytics helps to automate and monitor the cybersecurity inof organizations and even identify sophisticated and unseen attacks.
Listen to ‘Cuidado con las macros ocultas’ on your favorite platform
«Zero Trust' is an ideal model, but the balance between security and usability must be measured.»
Limitations of Zero Trust
While many organizations aspire to adopt a zero-trust security model, implementing all the aforementioned measures can be a significant challenge for many companies. There are difficulties in applying controls, making these restrictions compatible with collaborative work, having the necessary architecture and navigation control, or having complete visibility of the infrastructure. The UOC's own CISO recognizes that it is a highly effective security model, but difficult to apply in organizations with a large volume of users and very diverse profiles, such as universities.
Eduardo Sánchez Toril shares a similar opinion, stating the Zero Trust security model is being adopted primarily by companies in the technology sector, critical infrastructures or organizations with a large economic volume. Therefore, according to the cybersecurity expert, it is important to strike a balance between security and usability. He provides a practical example to illustrate this: A financial institution may require the mandatory use of a digital certificate for its transactions. Which is an excellent security measure, but it must also consider that such a requirement can be a complication and a barrier to interaction with some companies, which may not have the same level of maturity.