With today’s cloud-based servers and applications, your single-factor “secure network” is not enough. You need a Zero-Trust mindset to protect your all-digital assets today.
While working for a previous employer in 2020, I worked on a project to help a client assess its network security. During our analysis, we identified the malware called Emotet on our client’s system.
The world had been fighting Emotet since the financial sector first reported it to the U.S. Cybersecurity and Infrastructure Security Agency that same year. Spread via fraudulent email attachments, the malware’s creators were selling its infrastructure to other malicious actors so that they, too, could spread it with their own attachments hidden in seemingly helpful Word documents — invoices, shipping orders, even COVID-19 updates.
Once users tried to open the attachment, a pop-up prompted them to “enable macros” to view it. When victims did so, the malware began running on their machines, opening the doors to data theft, other Trojan attacks and ransomware.
Worse, the virus changed each time a user opened it. Because it was constantly evolving, the international security agency Europol could not take it down until 2021.
Fortunately, back in 2020, my work for the client included identity protection via Azure MFA (multifactor authentication), device protection via Microsoft Intune, data protection via Exchange Online Protection (EOP), Microsoft Information Protection (MIP), Data Loss Prevention (DLP), and app protection via Microsoft Defender for Cloud Apps (MDCA), formerly Microsoft Cloud App Security (MCAS). Through this multifactor approach, we removed Emotet from the client’s system and prevented it from spreading further, saving the company a painful remediation that could have cost up to $1 million or more.
My Emotet experience revealed problems that would only grow as additional companies moved their servers and data to the cloud. The message is clear: Simply securing networks is no longer enough to protect an organization’s entire digital ecosystem. The virtual walls companies relied on are crumbling, especially as businesses and everyday computer users increasingly rely on the ease of accessing documents, analyzing data and working from anywhere that the cloud enables.
After joining Centric in 2021, I began working with my new colleagues to create a “Zero-Trust” approach to security. It includes a multifactor security assessment like the one that helped my team identify Emotet and the elements of Zero-Trust Security Architecture. We believe organizations need both for security today. But where do you start?
Start With the Security You Have Now
Before you can build secure architecture, you must conduct an assessment to understand your current security posture fully. The assessment should include a comprehensive roadmap to help you deploy and adopt Microsoft 365 capabilities to protect the six pillars of Zero-Trust Architecture: identities, devices, apps, infrastructure, data and network. You will then be ready to enhance your Microsoft 365 investment securely.
As you interview assessment providers and examine their proposals, make sure that they have the bandwidth and skillset to create a roadmap that includes your:
- Business and industry needs and requirements
- Microsoft 365 Security and Compliance Posture
- Scalable licensing
- A current state assessment
- Security and regulatory compliance requirements
- Security awareness and training needs
- Next steps.
Once complete, your roadmap will become your guide to hardening your existing architecture and building it out for the agility you need to identify potential risks earlier and eliminate them more quickly.
Build Your Zero-Trust Architecture
Your Zero-Trust Architecture’s six pillars protect the people, processes and technology throughout your entire organizational footprint. Because they are interrelated, your architecture must take a holistic approach. The days of only fixing the network server alone — or only the current problem — are gone!
Let’s take a look at the role each pillar plays in your Zero-Trust Architecture:
- Identities — Identity is the new perimeter you must protect. With an increasingly mobile and remote workforce, you must ensure your people are safe from wherever they work.
- Endpoints/Devices — With all those remote workers comes a greater number and diversity of devices accessing your network, from any place and at any time. A Zero-Trust mindset goes beyond the traditional, location-based approach, expanding to confirm you can trust each device based upon a variety of factors, in addition to location.
- Apps — You need to protect apps dynamically depending on which Zero-Trust pillar they reside in to prevent unauthorized access and downloads — again, you must base protection on several factors, not just location.
- Infrastructure — Infrastructure is now more than on-premises (on-prem) servers and PCs. Modern infrastructure includes virtual resources such as containers, micro-services, underlying operating systems, and both on-prem and cloud-based firmware.
- Data — You must protect data, including structured and unstructured data, throughout your organization and across all files and content, wherever it resides.
- Network — The network of the future will likely be a blend of traditional, on-prem assets and cloud-based resources. Only by protecting them all simultaneously can you maintain your security posture.
These are exciting days to be a security architect — but they are challenging days for business owners. Staying ahead of the curve to protect yourself from increasingly sophisticated attacks requires diligence, persistence and agility.
At Centric, we developed our own Zero-Trust Security Assessment. Our goal is to prepare our clients to build the digital ecosystem they need to secure valuable digital assets. That way, you can know the right people are accessing the right data within the right application and on the right infrastructure, device or network.
However, it’s also important to remember even the best security system is not a one-and-done. To succeed, your organization must be 100 percent committed to security across the board all day, every day. Otherwise, you run the risk of becoming another cyber-crime statistic and putting your customers, employees and company at risk.