Zero trust closes the end-user gap in cybersecurity
You may have noticed that it’s a bit more difficult to navigate cyberspace. More 6-digit authorization codes sent to your phone. More requests to confirm your name and fourth-grade teacher. There are more boxes to check to “trust the device.” This means you will need to prove that you are you.
It’s not your imagination. It’s a relatively new cybersecurity strategy called “zero trust” and it’s changing networks worldwide. It is exactly what it sounds like: The network, site, and application won’t allow anyone in unless they have proof that you are there. Mayank Agarwal is the head of cybersecurity in North America at Infosys. He sees zero trust as a mindset shift. “Zero trust is at the forefront of all cybersecurity discussions. It’s all about principles of least privilege. This means that access is granted only for a limited time and with the least amount of restrictions. Access is removed .” HTML3_ HTML4_ HTML5_ HTML5_. A MIT Technology Review Insights survey of global business leaders revealed that three-quarters of respondents said their organizations have become more aggressive with cybersecurity over the past two year. End-user security tops the list.
About 40% of poll respondents said their organizations have already adopted a zero-trust model, while another 18% are in the process of implementing the model, and 17% are in the planning stages.
And this is important says Vishal Salvi, chief information security officer for Infosys, because companies need to think about “adopting a new security architecture to support new connectivity models.”
Securing the cloud during covid-19
In addition to the ever-growing cybercrime wave, thank covid-19 for this extra level of vigilance. Cloud computing was the focus of the pandemic. Lockdowns sent millions to their homes where they connected to company systems remotely using their own devices, rather than their employer’s. Traditional centralized security, where users log in only once a day–the modern equivalent to a moat around a castle–was no more possible.
The shift happened on a grand scale, and almost immediately so did an uptick in cyberattacks, such as ransomware, phishing attempts, and denial of service.
Cybercriminals have increased the number of points they can exploit due to the new distributed nature of information services. Organizations were in a delicate situation. They had to give easy access to their partners and employees, while also making sure that their data and applications weren’t misused.
Of the poll respondents, almost 55% said their biggest challenge is securing a hybrid or entirely remote workforce. Their second biggest challenge, also related to decentralized IT infrastructure, is securing applications and data through the cloud (49%).
Specifically, 68% of the interviewees worry about cloud applications and data being subject to malware, ransomware, and phishing attacks. Although 55% don’t feel confident that their cloud security is properly configured, 59% believe that they have adequate control processes and policies to secure the cloud. One third of respondents stated that cybersecurity training is difficult for them.
End users under attack The weakest link in any IT security strategy is always people, according to Keri Pearlson (executive director of the MIT research group Cybersecurity at MIT Sloan). CAMS studies strategic, managerial, organizational and organizational issues in cyberspace. “One person can click on the wrong link, email, or program to infect a system. It’s not only end users, but all people who interact with our systems. Pearlson states that every person who interacts with systems can be a vulnerability point.”
Although typically more than 99% of system security measures are handled on the back end by IT, says Salvi, the tiny sliver of security threats users are responsible for account for almost 19 out of 20 cyberattacks.
They all start with phishing emails,” Salvi states. “They’re trying get the keys rather that breaking the locks,” Salvi says. End users are more likely to cause damage if they are locked down in covid. Security strategy must be adapted quickly.
In contrast to traditional end-user security models, a user’s initial sign-in to a zero-trust environment– even one confirmed by a fingerprint, a face scan, or multifactor authentication–isn’t the end of surveillance. Zero trust follows users as they go about their cyber-day, checking to make sure they haven’t done anything malicious or clicked on a link that could lead to hackers. Users won’t notice zero trust except for the occasional request to reauthenticate.
I don’t have the security to work if the user doesn’t do the right things,” says Salvi. “They don’t have to remember a complex password or change it every three months or be cautious about what they download.”
This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by the editorial staff of MIT Technology Review.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.