You may have noticed it’s a little harder to get around in cyberspace. More six-digit authorization codes texted to your phone. More requests to confirm the name of your first pet or fourth-grade teacher. More boxes to check to “trust this device.” Overall, having to prove more often that you are you.
It’s not your imagination. It’s a comparatively new cybersecurity philosophy called “zero trust,” and it’s transforming networks globally. It’s just what it sounds like: the network, site, or application won’t allow you in without proof you belong there. Mayank Agarwal, head of cybersecurity for North America at Infosys, thinks of zero trust as a mindset change. “Zero trust is front and center of all cybersecurity discussions. It’s about principles of least privilege. This means giving access only for a time, with the least amount of access. Once done with whatever job you are supposed to do, access is taken away.”
An MIT Technology Review Insights poll of global business leaders reveals three out of four organizations have become more aggressive in their approach to cybersecurity over the past two years, and end-user security tops the list of cybersecurity concerns.
About 40% of poll respondents said their organizations have already adopted a zero-trust model, while another 18% are in the process of implementing the model, and 17% are in the planning stages.
And this is important says Vishal Salvi, chief information security officer for Infosys, because companies need to think about “adopting a new security architecture to support new connectivity models.”
Securing the cloud during covid-19
In addition to the ever-growing cybercrime wave, thank covid-19 for this extra level of vigilance. The pandemic made cloud computing take center stage: lockdowns sent millions of workers to their homes, where they connected to company systems remotely, often using their personal devices rather than the employer’s. Traditional centralized security where users log in once in the morning—the modern equivalent of a moat around the castle—was no longer feasible.
The shift happened on a grand scale, and almost immediately so did an uptick in cyberattacks, such as ransomware, phishing attempts, and denial of service.
The newly distributed nature of information services guaranteed an increase in the number of vulnerable points for cybercriminals to exploit.
Organizations were in a delicate position, having to provide easy access to their employees and partners while simultaneously making sure their data and applications didn’t end up in the wrong hands.
Of the poll respondents, almost 55% said their biggest challenge is securing a hybrid or entirely remote workforce. Their second biggest challenge, also related to decentralized IT infrastructure, is securing applications and data through the cloud (49%).
Specifically, 68% of the interviewees worry about cloud applications and data being subject to malware, ransomware, and phishing attacks. Although 55% don’t feel confident that their cloud security is properly configured, 59% believe that they have adequate control processes and policies to secure the cloud. About one out of three respondents said it’s a challenge to train employees adequately on cybersecurity.
End users under attack
The weakest link in any IT security strategy has always been people, says Keri Pearlson, executive director of the MIT research consortium Cybersecurity at MIT Sloan (CAMS). CAMS studies organizational, managerial, and strategic issues in the cybersphere. “It only takes one person to click on the wrong email or the wrong link or install the wrong program for systems to get infected. It’s not just end users in the traditional sense, it’s all the people that interact with our systems. Every single person that interacts with systems is a possible vulnerability point,” Pearlson says.
Although typically more than 99% of system security measures are handled on the back end by IT, says Salvi, the tiny sliver of security threats users are responsible for account for almost 19 out of 20 cyberattacks.
“They all start through phishing emails,” Salvi says. “They’re trying to get the keys rather than breaking the locks.” Some phishing attempts can fool even a wary user, masquerading as urgent messages from human resources or the C-suite. Covid lockdowns put end users in a position to do more damage, and security strategy adapted quickly.
In contrast to traditional end-user security models, a user’s initial sign-in to a zero-trust environment— even one confirmed by a fingerprint, a face scan, or multifactor authentication—isn’t the end of surveillance. Once in, zero trust discreetly follows as users go about the cyber-day, making sure they aren’t up to something nefarious, and haven’t mistakenly clicked on a link that opens a door to a hacker. Except for an occasional request to re-authenticate, users won’t notice zero trust unless it decides it can’t trust you and locks you out of somewhere you want to go.
“I don’t have to depend on the user to do the right thing for the security to work,” says Salvi. “They don’t have to remember a complex password or change it every three months or be cautious about what they download.”
This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by MIT Technology Review’s editorial staff.