The subject of trust is a tricky one to broach in the business world but it’s becoming increasingly important to trust nobody, at least when it comes to network security.
The way we work is rapidly changing. Sure, there are the obvious cases such as employees working remotely but even office spaces have been invaded by foreign devices clamouring to connect to WiFi.
Years ago this would have been unheard of but as company’s embraced a bring-your-own-device way of working, employees began asking for increased connectivity.
This brought about a new way of thinking for companies. Rather than simply securing the perimeter of a business network from cyber threats, businesses had to find ways to secure themselves from inside the network while maintain a level of convenience required for work to continue.
This thinking is called zero-trust networking or zero-trust architecture and it’s best explained by an expert. Luckily for us, we were able to chat to Chantel Cronje, head of security at Wipro Africa.
“The old way of thinking was never trust anything from outside our network and trust everything inside our network. Zero trust is a concept or rather a framework that asks you to change your mindset and rather not trust everything,” says Cronje.
Honestly it sounds a bit harsh and as if it would hamper things but Cronje explains that it’s simply a matter of requiring a person authenticate that they indeed are who they say they are on the network.
Companies are able to employ solutions that make this a bit easier. For example, an IT administrator could assign certain permissions to users and when a user authenticates they are granted those permissions.
Being able to assign permissions to certain users also allows for great clarity when it comes to security. There are solutions on the market that can monitor users and together with artificial intelligence and machine learning, help administrators spot anomalies.
For example, should Bob from human resources suddenly be attempting to access the firm’s accounts from a location in China, the system can alert a manager or administrator to take action.
For businesses, Cronje recommends starting a journey toward zero-trust by asking users to confirm who they say they are. This in turn requires permission to access systems that are required to do their job and in this case Cronje recommends giving folks as little as possible.
“Start with the least privilege and then add or remove privilege as it is required. You should also authenticate every single person or device that accesses your systems,” says Cronje.
Sounds like work
While a zero-trust approach sounds like a lot of work, Cronje says that many companies already apply this concept to their solutions making the work less troublesome but that comes at a cost of course.
“There are many leading providers who have developed frameworks and companies who have implemented zero-trust that you can turn to for help. The reality is that it does take time and money,” the head of security tells us.
We asked Cronje whether it’s worth adopting this approach even if it is costly.
“All it takes is one compromised credential, one user, one weak link. Whether you’re a 10 user organisation, or a 10 000 user organisation dealing with multi-million dollar transactions, all it takes is one weak user to put your entire organisation at risk,” says Cronje.
Companies should be aware of where their data is, who is accessing it and the behaviour of those users in order to lower the risk of a cyberattack crippling the organisation.
Enterprise to SME
On that point we asked Cronje about whether zero-trust is suited for larger organisations or smaller SMEs.
“Our attackers attack for different reasons using different methods. One could be political, another financial, others could even be ‘spray and pray'[attempt to breach a number of targets hoping one falls victim]. An organisation is making money, if it wasn’t it wouldn’t be in business. Every company has ‘Crown Jewels’ whether it’s a snack company’s recipe, or a financial services organisation with millions of Rands running through its systems. Attackers don’t care about the size of your organisation, they want the ‘Crown Jewels’,” Cronje tells us.
“Every organisation should be looking at how not to trust everything. We can’t go back to the ‘trust nothing outside and everybody inside is automatically trusted’ way of thinking,” says Cronje.
Whether you’re an SME or an enterprise then, zero-trust networking is worth a consideration, from what we’ve learned from Cronje, it makes good business sense.[Image – CC 0 Pixabay]