Oct 11 2022

Insiders May Be the Biggest Zero-Trust Threat

Whether accidental or deliberate, damage can be caused by people who have legitimate access to your systems. Here’s how to mitigate it.

The invisible moat that once protected a federal agency’s digital assets from outsiders no longer exists. Distinct firewalls vanished with the advent of cloud-based technology; employees working remotely are no longer logging in from their protected desktops.

Zero-trust security environments are meant to solve that problem, requiring users to prove their identities before they’re allowed access. However, once an approved user is admitted to a government network, that person can still cause damage, intentionally or not.

Insider threats, more than half of which are caused by negligence, according to the Ponemon Institute, may become a larger problem inside zero-trust environments. Agencies, in turn, must become even more sophisticated about identity management.

Malicious actors recently have been able to breach private sector companies that failed to set up multifactor authentication properly or have not updated their legacy environments to support long-term remote work.

More important, most remote employees don’t monitor the home networks they use to connect to the work environment once they’re done for the day. Their work rhythms also may have dramatically changed: A employee might break up a remote day to pick up the kids at 3 p.m. and to work out at 5 p.m., then go back to work later in the evening.

Click on the banner below to learn more about becoming an Insider.

Why a Dynamic Zero-Trust Approach Is a Must

Enterprises have adapted to irregular work patterns over the past two years, but that also removes some control, including the ability to identify workers by their hours or location. It also moves the worker a step further from built-in agency network controls.

This is why zero trust must be dynamic in the way it identifies permitted users. If a remote employee is accessing a SharePoint document and just downloading a few small items, the way he might have in the physical office, it’s probably OK. However, if that same employee downloads gigabytes worth of data, does it more than once and it’s not part of his normal work duties, that’s a red flag.

REVIEW: How deep learning technology can help agencies pinpoint anomalous behavior.

Not all agencies have gone that granular on identify verification; however, they’re still trying to catch up to the security issues triggered by the pivot to remote and hybrid work. In some cases, systems set up during the spring of 2020 on an emergency basis may not have been set up correctly, or a rule may have been misapplied. Since the capability continues to work, they let it ride.

Insider threats, whether they’re malicious or not, often depend on flaws like that. The attacker takes advantage, or the unwitting worker triggers something that causes problems.

So, agencies must get particular in the way they look at users, defining the legitimate access needs of each employee and providing an efficient method of enforcing the decisions and policies that apply to those users. Those can include lockout periods or temporary restrictions on data accessibility.

They may also begin to use artificial intelligence or automation to monitor behavior patterns and trigger alarms when something unusual happens.

What Security Measures Should Your Agency Implement?

User behavior analytics is a common method of analyzing behavior over time to see what’s proper and what’s not, providing a risk score to each individual. This enables the system to alert analysts. This can also be applied to third-party cloud services, which also can be vulnerable if not properly monitored.

What do you need on your system to make this work? For one, strip out VPNs. Once you’re connected via a VPN, you’re always connected, and that doesn’t pass muster in a zero-trust environment.

Next, understand that two-factor authentication isn’t enough. Once you’re authenticated via a code delivered to your phone, no one checks on you again unless you log out. In a zero-trust environment, the system is consistently re-validating that you are who you are and that you’re supposed to have that access.

EXPLORE: Why federal identity cards must adapt to changing security environments.

Ask these questions: Do you have something enforcing general data protection? Do you have something enforcing incident response policy methodology? Do you have something looking at third-party access policies, account management, user management and even standard password management?

Those systems that ask users to change their passwords every 90 days aren’t necessarily the most effective. Many users just change their passwords by one character when required, so they can more easily remember it.

If a password is compromised before it is changed — which is entirely possible, since many people use the same password for a host of sites — a random scan through a password cracker will find it easily. Prevent intrusion by deploying and properly configuring active directory, endpoint protection, intrusion prevention, web filtering, traffic monitoring and spam filtering.

Zero-trust uses the combined capability of multiple hardware appliances, software appliances and policies. Still, it takes people to ensure its proper application. We’re not there yet, especially when it comes to protecting against insider threats.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

gorodenkoff/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT