In Zero-Trust Architecture, “out of sight” can never mean “out of mind.” This last installment of our series looks at how to protect your invisible network assets.
Anyone who has studied the Watergate scandal of the 1970s is familiar with phone taps. Phone tapping breaches a miniature wired network between two people speaking over an old-school telephone. The speakers believe they are talking privately, but by “tapping into” the physical wire between them, whether legally or not, others can eavesdrop and record their conversation.
Of course, we access much more sophisticated networks today, but the idea is the same. An exposed ethernet cable is just as vulnerable as a phone line, after all. Attacks like these involve visible networks, one of the two categories today’s network security experts work to protect.
In a previous post, we discussed various ways to protect physical infrastructures, such as those ethernet wires or the buildings that house servers. But what about the invisible components of modern networks, such as the airwaves that carry radio signals from one device to another? How do you protect networks you can’t see?
Control Network Access
While protecting invisible networks is more technically complicated than protecting physical infrastructure, the principles are similar. Imagine the network you log on to at your favorite coffee shop is a highway. The coffee shop’s free internet access is simply a service that allows information to flow from point A to point B. However, because a coffee shop must accommodate every type of device, it’s impossible to control access. Everyone else is traveling the same road — both good guys and bad guys.
For that reason, it’s important that you educate your employees about how to protect your data — and their own — when working in coffee shops, airports, libraries and other public places that provide internet access. We’ll get to those measures shortly, but for now, let’s think about how you can facilitate travel on your company’s information highway.
The first step is to control access. At a highway border crossing, for example, travelers must show identification to continue their journey. The same should be true of your network. Multifactor authorization (MFA) is the most basic level of additional online identity protection you can provide employees to force bad actors to identify themselves before getting on your company’s apps, endpoints or devices and networks.
Once an employee installs an MFA app on their device, the app will notify them if someone else requests access. At the same time, MFA will require the bad guy to provide biometric information, such as a fingerprint or their face. When those credentials don’t match the employee’s, they will not be able to go any further and will move on to another target. Other tools can protect your employees’ endpoints by automatically checking them against your organization’s list of approved apps, security policies and more. Devices that don’t meet the requirements will be denied access.
Please educate your users when using MFA. Just because an MFA prompt presents to the user doesn’t mean they should accept it. Hackers are using the nagging MFA approach to access your organization’s internal systems. Please help your cyber security educators combat MFA fatigue by mounting an MFA fatigue awareness campaign. This will keep your organization from becoming the next breach like Uber.
Control Data “In the Air”
So, what happens when bad actors seek to perform a virtual wiretap by accessing your network information as it is in the air? Returning to our highway analogy, when a highway goes through a tunnel, it is protected from the elements, whether rain, snow, ice or a flock of birds. The same should be true of your network, except you must protect the whole electronic pathway with a virtual tunnel.
Security experts call this tunnel end-to-end encryption. Protecting visible, physical infrastructure is the first part of protecting your data when it is at rest, sitting on a server in an unmarked building. The other measures we’ve discussed also protect data at rest by limiting virtual access to those servers. Other tools, such as transit layer security (TLS), secure sockets layer (SSL) and more, keep data safe as it travels.
Most organizations have tools such as these in place, but as data continues its move to the edge, the need to protect data as people use it grows, too. This data resides in RAM, temporary storage between the network and the person using it. Despite the widespread use of trusted execution environment (TEE) security — a secure portion of each computer’s main processor — this tiny space between the network and the user is many organizations’ Achilles heel.
One solution is software that allows you to case the code, limiting access by user or to different levels of privilege. Both the Azure and AWS clouds feature TEE-based protections, and additional tools are emerging that can protect sensitive data like personal health information (PHI). Tools like these bring you closer to a true Zero-Trust Architecture.
Zero-Trust Security Starts with You
As great as existing technologies and emerging ones may be at protecting your invisible network, human behavior remains an important piece of Zero-Trust security. Below are tips you should practice yourself — and encourage your employees to do the same:
- Avoid accessing social media or sharing personal information on unsecured public networks.
- Use MFA or similar tools to protect your online identity, apps, endpoints and networks.
- Avoid sharing sensitive information over email.
- Stay away from others and protect your screen when working in public spaces — even a nosy neighbor can breach a VPN.
- Don’t reveal personal information, such as credit card numbers, out loud in public.
A more advanced solution is to talk to your internet provider about setting up separate networks in your house. For example, you could have a separate network for your kids or your customers and clients. Convenience is great, but not at the cost of security.
Conclusion
As we have shown, Zero-Trust Architecture is not a one-solution strategy. It requires many solutions, some of which may overlap, to protect online identities, endpoints, data, infrastructure and networks.
But just like human behavior plays a role in Zero-Trust, so does the human mindset. You and your employees must think about security from many perspectives, not only from the perspective of one person and their device. In a world where a tiny crack or split-second loss of judgment can open a flood of devastation, Zero-Trust security is everyone’s job!