By Adam Stern | Mission Critical
It’s time for an enlightened cyber security policy.
The principle of Least Privilege… promotes minimal user profile privileges on computers, based on users’ job necessities. Each system component or process should have the least authority necessary to perform its duties. This helps reduce the attack vector of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises.
University of Indiana knowledge base
A Zero Trust architecture abolishes the idea of a trusted network inside a defined corporate perimeter. Zero Trust mandates the creation of micro-perimeters of control around an enterprise’s sensitive data assets and provides visibility into how it uses data across its ecosystem to win, serve, and retain customers.
It’s not really like Johnny Carson’s ‘60s-era TV game show, “Who Do You Trust?”
While perceived threats and vulnerabilities are assumed to exist outside the firewall, truly effective security policies assume nothing. The conventional wisdom once held that everyone inside the network was trusted and everyone outside was not. The newer, more enlightened paradigm for security is “more trusted” and “less trusted” — and that’s where the principles of Least Privilege and Zero Trust come into play.
In savvy organizations, Least Privilege applies to every employee. Encryption is the rule internally, and multifactor authentication to log into every networking component and storage system is mandated; no one can delete a snapshot or burrow into the firewall.
The upside is clear: since all user data is inside the network, there’s no need to sweat issues like internal encryption — the hosting provider has already handled it. And that extends to the rights conferred on users, including, for example, their ability to use home equipment on an office network.
In theory, every hosting provider ought to embrace this essential methodology. The fact is, not everyone does. But those who do embrace it benefit from the simple fact that no single actor can shut down the system, whether through error, carelessness or malign intent. Vigilance, through smart policies and procedures, really does prevent outages.
So why aren’t Least Privilege and Zero Trust the new normal?
There’s unquestionably a learning curve here, along with perhaps some resistance to a notion that is both unfamiliar and, at first blush, counter-intuitive — at least where the jargon is concerned. An implicit message of “trust no one” would appear to be something less than a confidence builder within the organization. It feels binary — our team, the other team. Or as Robert De Niro put it in “Meet the Parents,” you’re either inside the Circle of Trust or you’re decidedly outside.
Except that in this case, there’s nothing personal about Least Privilege and Zero Trust. Quite the contrary: those inside the firewall are infinitely better off for the presence of these policies and here’s why: they’re designed to protect everyone.
Auditors — who, as a group are notorious for erring on the side of caution — have long wanted to limit network privileges based on the roles of those within that circle. They’re the ultimate enforcers of need-to-know. “What do you need to do your job?” is another way of saying that anyone can trip over gratuitous rights. Least Privilege principles keep people in their lane for their own good, no matter how patronizing that may sound.
As Gresham Harkless, blogger-in-chief for CBNation puts it, “the Zero Trust model of network security has been … spurred on by the constant barrage of cyber threats that seem to continually break through traditional security measures. Many businesses are recognizing that the ‘trust but verify’ model often fails to stop cyber threats. Zero Trust instead says that we must ‘verify and never trust.’”
I agree with Russell Walker, CISO for Mississippi’s Secretary of State, who recently told Cyber Security Hub that the game has changed, irrevocably. “The perimeter in the traditional sense has disappeared,” he said. “The network itself is no longer a static environment we can put barriers around, have a guard at the gate and say, ‘Now we are protected.’” He’s also right to underscore that Zero Trust and Least Privilege aren’t merely technologies and policies. They truly do involve “changing the way IT staff and end-users think and approach their environment.”
And not a moment too soon.