Over the past year, there have been a number of successful ransomware attacks that have made online security a hot topic across the globe.
In fact, just recently it was reported that Advanced, a technology vendor that provides the architecture for services such as patient check-in and NHS 111, fell victim to a ransomware attack in August 2022. Whilst the investigation is still ongoing, Advanced predicts that it may take several months to get some of its services back online. Therefore, instead of focusing on patient care, doctors are having to manually process mounting piles of medical paperwork which is of course time consuming, arduous, and inefficient.
However, it appears that Advanced are taking the security lessons in their stride and looking to bounce back from this incident. According to a statement, Advanced said they were “rebuilding and restoring impacted systems in a separate and secure environment” by “implementing additional blocking rules and further restricting privileged accounts for Advanced staff” and “conducting 24/7 monitoring.” These are key principles of a Zero Trust Architecture. While Advanced probably had elements of Zero Trust beforehand, it is reassuring to see them reinforce this network architecture when faced with a paralysing ransomware attack. Here I explore how Zero Trust principles can be applied to organisations’ existing security architecture to prevent similar attacks and reduce risk.
HOW ZERO TRUST WORKS
Zero Trust is a network security model based on a philosophy that no user or device is trusted to access a resource until their identity and authorisation are verified. This process applies to those normally inside a private network, like an employee on a company computer working in the office, remotely from home or on their mobile device while at an offsite conference. It also applies to every person or device outside of the core network. It makes no difference if you have accessed the network before or how many times — your identity is not trusted until verified each time. The idea is that you should assume every machine, user, and server to be untrusted until proven otherwise.
While this may sound difficult to implement, Zero Trust is not about forgetting the IT and security assets you have and starting anew, nor is it about locking down systems so strongly that they become difficult to use.
Instead, the Zero Trust approach to network security relies on three core principles:
1) All networks are untrusted: every machine, user, and server should be untrusted until proven otherwise.
2) A rule of least privilege access must be enforced: a user has the minimum levels of access or permissions needed to perform their job.
3) You must ‘assume breach’: inspect and monitor everything.
Traditional remote access technologies, like VPN, rely on antiquated trust principles where everyone outside of the network perimeter was “bad” and everyone inside was “good”. Moreover, when you connected via VPN you were then inside the network and “trusted”. This approach overlooked threats that managed to compromise the endpoint and get inside the network where the bad actors were then free to move around, accessing resources and high-value assets like customer data — or launching a ransomware attack.
So, what does Zero Trust look like in practice? Zero Trust promotes explicit policies, such as multi-factor authentication (MFA), which are informed by signals coming from users, devices, and networks, such as authentication received from a third-party app.
BUILDING ON AN EXISTING FOUNDATION
It’s important to not think of Zero Trust as one discrete technology. Rather, a Zero Trust architecture (ZTA) using a variety of different technologies and principles to address common security challenges through preventive techniques. These technologies include identity verification, access control, resource protection, policy and orchestration, and monitoring and analytics. In a ZTA, many of these solutions are pulled together into single sign-on capabilities which make it easier for users to log on. In terms of access control, organisations often have all-to-all connectivity as a default mode. These processes facilitate an environment where each device can exchange any data directly with every other device. However, organisations should instead consider establishing an environment where identities are individually verified and access is mediated, logged, and analysed to reduce vulnerability.
The first step of implementing a ZTA is to start with a maturity assessment to figure out where an organisation is and where it needs to be. However, most companies don’t have to start from scratch and can build on an existing infrastructure where a lot of the technologies that are needed to get to Zero Trust are already in place. In the case of data/resource protection, organisations would need to have data encryption (at rest and in transit), data classification, data asset classification and sensitivity analysis, data leakage prevention (DLP), and file integrity monitoring (FIM).
The Advanced hack exposes the vulnerability of our critical services to attacks. The disruption will likely have a longstanding impact. The build up of huge volumes of medical paperwork and backlogs will likely take months to process. Unfortunately in today’s climate, it’s not a case of “if” but “when” ransomware attack attempts will occur. With a Zero Trust model, companies are able to stay protected from online dangers as they build resiliency into their networks. By implementing authentication and segmentation rules, as well as carefully monitoring all network activities, companies can arm themselves with the right tools against ransomware and other emerging threats.
About the Author
Richard Meeus is Director of Security Technology & Strategy EMEA at Akamai Technologies. Richard Meeus is Akamai’s EMEA Director of Security Technology and Strategy. With more than 20 years of experience, Richard is responsible for designing and building secure solutions for some of the world’s most influential organisations. Richard is an industry expert in cloud computing, enterprise software, and network security. During his time at Akamai, Mirapoint, and Prolexic, Richard has had held strategic roles across a broad range of projects, including the deployment of DDoS solutions for multinational organizations to protect critical infrastructure and sensitive data. Additionally, Richard is a chartered member of the BCS and a CISSP.
Featured image: ©Andrii Yalanskyi