Why a Dynamic Zero-Trust Approach Is a Must
Enterprises have adapted to irregular work patterns over the past two years, but that also removes some control, including the ability to identify workers by their hours or location. It also moves the worker a step further from built-in agency network controls.
This is why zero trust must be dynamic in the way it identifies permitted users. If a remote employee is accessing a SharePoint document and just downloading a few small items, the way he might have in the physical office, it’s probably OK. However, if that same employee downloads gigabytes worth of data, does it more than once and it’s not part of his normal work duties, that’s a red flag.
REVIEW: How deep learning technology can help agencies pinpoint anomalous behavior.
Not all agencies have gone that granular on identify verification; however, they’re still trying to catch up to the security issues triggered by the pivot to remote and hybrid work. In some cases, systems set up during the spring of 2020 on an emergency basis may not have been set up correctly, or a rule may have been misapplied. Since the capability continues to work, they let it ride.
Insider threats, whether they’re malicious or not, often depend on flaws like that. The attacker takes advantage, or the unwitting worker triggers something that causes problems.
So, agencies must get particular in the way they look at users, defining the legitimate access needs of each employee and providing an efficient method of enforcing the decisions and policies that apply to those users. Those can include lockout periods or temporary restrictions on data accessibility.
They may also begin to use artificial intelligence or automation to monitor behavior patterns and trigger alarms when something unusual happens.
What Security Measures Should Your Agency Implement?
User behavior analytics is a common method of analyzing behavior over time to see what’s proper and what’s not, providing a risk score to each individual. This enables the system to alert analysts. This can also be applied to third-party cloud services, which also can be vulnerable if not properly monitored.
What do you need on your system to make this work? For one, strip out VPNs. Once you’re connected via a VPN, you’re always connected, and that doesn’t pass muster in a zero-trust environment.
Next, understand that two-factor authentication isn’t enough. Once you’re authenticated via a code delivered to your phone, no one checks on you again unless you log out. In a zero-trust environment, the system is consistently re-validating that you are who you are and that you’re supposed to have that access.
EXPLORE: Why federal identity cards must adapt to changing security environments.
Ask these questions: Do you have something enforcing general data protection? Do you have something enforcing incident response policy methodology? Do you have something looking at third-party access policies, account management, user management and even standard password management?
Those systems that ask users to change their passwords every 90 days aren’t necessarily the most effective. Many users just change their passwords by one character when required, so they can more easily remember it.
If a password is compromised before it is changed — which is entirely possible, since many people use the same password for a host of sites — a random scan through a password cracker will find it easily. Prevent intrusion by deploying and properly configuring active directory, endpoint protection, intrusion prevention, web filtering, traffic monitoring and spam filtering.
Zero-trust uses the combined capability of multiple hardware appliances, software appliances and policies. Still, it takes people to ensure its proper application. We’re not there yet, especially when it comes to protecting against insider threats.
This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.