Zero-Trust IT Security

9 Mar 2021 | News

‘Zero-Trust’ is a tough headline. Zero-trust in a world where we trust people all the time is an unpleasant concept.

We trust that when we order a package online, that the vendor will take our order and not just our money, that our product will be passed to a courier that we trust will take care of our product and deliver it safely, and we trust that when it is delivered to our door, that no one will take it before we can collect it.

We trust that when we buy our morning coffee, it won’t just taste the best, but that it will be made hygienically, the cups are clean, and the milk is fresh. When we come to work, we trust that other people will obey the traffic laws, so we’ll be safe. If we are being driven, we trust that the driver knows what they are doing, that they are fresh and alert, rather than recovering a big night the day before.

But with our vital IT systems, we KNOW that cyber-criminals are coming at us literally all the time. They are either hand-crafting attacks at us, or using hyper-scale computing to direct sophisticated tools against us.

As an IT services business, we’re spending more and more of our time focused on keeping clients safe. I continue to be amazed by the organisations that don’t think this is important, even as they see increasing numbers of attacks.

As our Chief Technology Officer, Bill Lunam, showed us at an internal exercise the other day, we’re diligent at locking the physical doors, applying deadlocks and turning on the alarm, even though we’ve all seen relatively few of these incidents. By contrast, even though we’re seeing and reading about IT security events continually, from phishing and whaling to intercepted emails, many businesses remain reluctant to step up their data protection.

It’s madness!

 

Forrester Research tell us that we should always be assuming a breach, never trusting anything and always verifying. While we can, and we must, use tools to assist us, the number one risk remains people, and how we behave.

We have to ensure our processes are secure, for example checking emails – especially financial ones – are from the person we think, and we warned recently of one stunning local story – https://www.kinetics.co.nz/bank-account-fraud

For example, when you access a web URL link, how can you be sure it is genuinely who you think it, or that the site is not infected with malware? Whether someone has forwarded you the link by email, or through social media, or you’ve found it in an online search, how can you be sure it’s safe?

Tools like the URL curation we include in KARE for Security help you identify potential risks – ironically, a search on Zero-Trust itself resulted in at least one ‘dodgy’ site which, as expected, our KARE URL curation software warned us about.

The Cloud changes security risks

Before the cloud, we could protect an organisation by focusing on the corporate firewall and scanning emails. Today, things have changed. We are working from anywhere, especially from home in this Covid-world.

The PC we use might be shared by other family members. It might be as likely to be used for your business emails and tools as it is for online ordering and click and collect shopping. You are accessing tools from your phone, and both that and your PC might also have your personal email, your social media, a personal file-sharing tool. You might be part of a community organisation that shares work on their own platform.

The idea that we can filter that non-work material work out seems impractical to me, so it makes sense that the end-point – phone or PC – needs to be our focus.

  • Check that all the email services you use are ‘washed’ – ideally with an ATP tool
  • Take inventory the tools you have on your PC & phone and remove the ones you don’t need
  • Don’t trust social media content (honestly – this one seems pretty obvious, but that can extend to links on mainstream media sites as well)
  • Protect the BUSINESS tools by keeping all your work content on secure work platforms only – don’t share work file content with personal accounts such as Dropbox.
  • Keep your own devices encrypted (e.g. with KARE for Security)

We’re keeping up our commitment to help you minimise your risk with KARE for Security and we’re now stepping that up with a more intense plan called KARE for Security 2 to add further layers of protection including many of the new Microsoft 365 data protection tools.

Reference :A Practical Guide To A Zero Trust Implementation (forrester.com)