The sophisticated security problem
How easy is it to lose information? Perhaps all you need to do is lose a binder – a physical set of documents. This happened recently at a Canadian health department, which confessed it couldn’t locate a binder containing the information of over 3 000 people. Worse still, it hadn’t been able to find this binder since January 2018…
One binder can compromise thousands. But a digital attack pales that example: in 2014, a single person in South Korea copied (and sold) over 20 million credit card account details onto a USB thumb drive – representing more than half the people in that country, including the prime minister at the time.
The simple fact is that stealing digital assets is easy and, despite adding layers of sophisticated counter-measures against it, cyber crime has never been more lucrative – more so than illicit drugs or arms trades. There are criminal organisations as large and elaborate as modern technology providers, but instead of making money from selling technology, they use technology to plunder the digital world.
Why is this still a serious problem? Why are we not getting on top of the cyber crime epidemic? Martin Kioko, Westcon Comstor’s Channel Manager for Cybersecurity and Next Generation Solutions, puts much of the blame on the lackadaisical attitudes of users: “Cyber crime is worse because people leave their data online without taking the necessary measures to protect it. The ignorance and lack of drive to learn how to protect data is alarming. Organisations also do not practise data hygiene. Most of their data is not even secured. Currently, it is imperative that the data is authenticated and there be laws and policies in place to ensure that.”
We’re the problem
He takes the argument further: many organisations fail to get their security ducks in a row because they aren’t pushing their employees to maintain certain actions to enforce their security.
That being said, the people who should know better often don’t act like it: investigations during the massive Equifax breach in the US (which exposed 147 million people’s information) revealed, unbelievably, that the password protecting that data was ‘Admin’.
This reluctance to adopt basic security hygiene has prompted more sophisticated security systems to remedy the problem. But Kioko says this is also risky: “Cyber criminals thrive on complicated environments because those give them more opportunities to get in, hide and probe the environment. It’s not the sophistication of the technology but instead how they complicate things. Different security solutions don’t always complement each other, and you can have issues such as too many false positives that overwhelm the security staff. More isn’t better. You have to know what you are protecting and then focus on those priorities.”
Yet every organisation has a lot of priorities and getting everything into a single view is extremely difficult, if not outright impossible. This has given rise to more direct interventions that can impact the entire data environment. One of these, zero trust, takes no chances.
Trust is a dangerous idea in the digital world. You can’t trust employees to have a good password or your service providers not to be compromised. But in a connected world, data travels further and wider than we’ve ever imagined. If you look at it realistically, it’s impossible to rely on trust across a digital chain, especially since one small mistake can let the bad guys in.
Kioko is a big supporter of zero trust, a security design philosophy that aims to automate the enforcement of security as much as possible. A zero trust environment has numerous interventions that automatically enforce better security habits, such as forcing users to authenticate themselves. Other techniques include anomaly detection (automated spotting of strange behaviour in the system or among users) and encryption.
A cornerstone of this approach, though not exclusive to zero trust, is end-to-end security. Though often used to describe many different security solutions, end-to-end is a specific strategy and technically called end-to-end encryption.
“End-to-end security means encryption from entry to exit,” Kioko explains. “The data is secured in such a way that there’s no interception. End-to-end security is a system of communication where only communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecoms providers, Internet providers and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.”
But there is a chink in end-to-end’s armour: the aforementioned poor security hygiene that can be found among users of all levels. This is where zero trust steps in. Zero trust assumes the worst may have happened and acts accordingly. For example, if a CEO’s account starts sending out company statements at 3am, or the PA’s account takes an unusual interest in customer databases, zero trust flags that as strange and then enforces the appropriate policies, such as locking down those accounts.
Zero trust focuses on ‘protect surfaces’, which are the areas containing critical data and other digital assets. It then enforces several layers of different policies that don’t assume to trust whoever interacts with them. Multi-factor user authentication and granular access controls are typical elements of a zero trust approach.
“I support zero trust because it addresses several important elements of a secure environment. It forces the company to recognise what its most valuable data assets are and ensures that only the appropriate behaviours are allowed. It also secures the end-points, which are the most vulnerable in an encrypted environment. It doesn’t assume that someone hasn’t already breached your systems and, as such, is always suspicious of activities that are otherwise overlooked.”
Users are a critical component to good security and zero trust is not an attempt to eliminate them. But we have to admit that the sophistication and complexity of security today is beyond the scope of users. Reducing that complexity is a tall order. Yet creating a suspicious digital environment is a much more attainable goal. Just because you’re paranoid, it doesn’t mean they aren’t out to get you. A paranoid security environment made from zero trust and end-to-end encryption may just be your greatest ally.