How zero trust security holds the answer to insider threat

For decades, the castle-and-moat model was the standard in network security. Organizations would largely dedicate their information security budgets to perimeter defense systems, such as network firewalls and intrusion detection and prevention.

The problem with this approach is that it’s no longer relevant in most use cases. The notion of a secure perimeter is hardly practical in an era when employees are often working from home and using their own devices to remotely access cloud-based apps and computing resources. Business computing no longer happens exclusively through a network of workstations in the office – far from it. 

The other major limitation of the castle-and-moat model is that, even if the perimeter has been clearly defined, it’s ineffective at stopping internal attacks and insider threat. This is because, once someone’s in the network, they’re automatically trusted and are able to access all apps and data within the perimeter.

For the most part, the castle-and-moat approach is now redundant. According to Verizon, 82% of data breaches involve a human element, such as social engineering, misuse, and mistakes. Employee negligence is responsible for 62% of all incidents, while malicious insiders cause 14% of all incidents. Since insiders are automatically trusted once they’re within the network, any potentially harmful actions they take – whether accidental or intentional – go unmonitored and uncontrolled. 

The castle-and-moat model only considers external threats which, while very real, account for a minority of security incidents. Zero trust architecture (ZTA) takes a different approach to how end users, accounts, and devices are allowed to access systems and data. Most importantly, it assumes that threats exist both inside and outside the network, and it can be applied in an environment of practically any complexity.

Zero trust isn’t a specific product, but a set of principles covering the continuous verification of every device, end user, or account on the network before they can access specific applications or data. With a global market expected to garner a revenue of $87 billion over the decade, it’s one of the fastest-growing subdomains in information security.

There are several basic principles that a true zero trust security environment should follow:

• Network segmentation – Networks are broken down into smaller, more manageable security zones. For example, a Microsoft Teams or Slack deployment might be treated as a single security area. Network segmentation is essential in the typical enterprise environment due to enormous and constantly expanding digital footprints.
• Least-privilege access – Zero trust typically works in parallel with the principle of least privilege (PoLP), whereby access is only granted to an end user when they explicitly need it. For example, there’s no need for someone in marketing to have access to customer financial data. This further reduces the size of the potential attack surface.
• Multifactor authentication – Users and devices must always provide more than one factor to verify their identities. For example, a user might need to enter a single-use security code in addition to their password, and devices might be additionally verified using geolocation or by the identity of the connecting network. 
• Device monitoring – Every user, device, or account that connects to any ZTA security zone must be logged to maintain a complete audit trail. Device monitoring provides the oversight that security teams need to carry out comprehensive audits and identify the source and attack path of any potential incidents.

By limiting access to sensitive information and continuously verifying users, organizations can greatly reduce their attack surfaces, along with the insider threats that come with them. This is because ZTA treats every user, service, and component of a system as being continuously exposed to malicious actors.

For example, businesses that have adopted a zero trust approach can directly address any attempted phishing attacks across all channels, such as email and instant messaging, by continuously authenticating senders. Moreover, because every login attempt is logged, it’s relatively easy to locate any potentially malicious access attempt, such as those using credentials stolen by a social engineering attack.

Another source of insider threat, especially in hybrid work environments, is employees losing or mislaying the devices they use for work or failing to secure them properly. However, with the castle-and-moat approach that device is already trusted in the network, regardless of who is actually using it to access sensitive data. Without ZTA, you have no way of knowing whether it’s the employee accessing the network or an outsider who has stolen the device.

One of the main goals of the zero trust model is to simplify and reduce the attack surface, thus micro-segmentation is one of its core concepts. The aim of ZTA isn’t to completely eliminate risk, which is an unattainable goal anyway, but to mitigate the risks. Restricting access to apps and data on a more granular basis ensures that a breach in one system can’t cause damage to another. For example, if a Microsoft Teams deployment is protected as a single zero trust security zone, then any threats targeting that platform, external or internal, will be unable to spread to the broader Microsoft 365 environment or to any other resources. This ensures that threats like credential phishing and ransomware can be contained before they have a chance to spread across the broader network. Given that today’s networks are notoriously complicated to define in the era of cloud computing and hybrid work, there’s simply no better way to protect specific workloads.

Ultimately, adopting the zero trust model provides greatly improved security while simplifying management and enabling greater agility. After all, business requirements and digital systems are more dynamic than ever, making it wholly impractical to rely on hundreds of universal rules applied across your entire environment. Despite its ominous-sounding name, zero trust can also enhance user experience by promoting better information security hygiene among employees, while also allowing them to use popular web-based communications systems in a safe and compliant way.