Zero Trust: The What, Why And How

Etay Maor is Senior Director, Security Strategy for Cato Networks, a developer of advanced cloud-native cybersecurity technologies.


The rising severity and frequency of cyberattacks and data breaches indicate that current approaches to cybersecurity are ineffective against modern cyber threats.

This is because most organizations are heavily focused on perimeter-based security—building defenses around specific security locations to prevent threats from entering the network. This approach also assumes that everyone inside the network is trusted and should have access to all resources. Unfortunately, this is very much an outdated concept.

Many employees are accessing corporate resources from outside of the perimeter, and applications that were once hosted inside an organization’s data center are now hosted on the public cloud. Furthermore, a perimeter-based approach does not have visibility into anything that’s happening inside the corporate perimeter. In the case of an attacker using stolen credentials to infiltrate an organization or breaching defenses through a vulnerable supply chain partner, perimeter-based security does not offer protection or visibility.

One of the best ways to overcome these shortcomings is by deploying a zero-trust architecture (ZTA).

What Is Zero Trust?
Zero trust is a security model that does not trust any user or application by default. Zero trust assumes that the network is already compromised and that trust needs to be reassessed and reestablished. In other words, it’s a system that denies everyone and everything until the identity of the user is confirmed and the context of the request is established.

Compared to a traditional model where authenticated users receive implicit access to all resources, a zero-trust model authorizes access only to those resources that are verified by a set of attributes such as an identity, a fingerprint, job role, etc.

Why Do Organizations Need Zero Trust?
A zero-trust model can help improve an organization’s security posture in many ways that legacy security approaches cannot. Benefits include:

• Reducing the risk of privilege escalation. Zero trust allows network administrators to define extremely granular policies around sensitive resources and erect micro-perimeters around specific applications and workloads. This prevents attackers from moving laterally and inflicting further damage to the organization.

• Stopping insider threats. Legacy security solutions cannot prevent attacks from malicious insiders, nor can they provide in-depth visibility into their activities. Zero trust can ensure that each user does not have more access than necessary and can also provide granular visibility on each and every user activity.

• Locking down cloud access. Zero trust restricts access to cloud applications based on business requirements. Since every user or application is subject to clearly defined access permissions, only authorized users or applications will be permitted to access those cloud environments.

Which Technologies Help Enable A Zero-Trust Architecture?
Zero trust isn’t a specific technology, per se, but a foundation on which the entire security stack resides. While zero trust can mean different things to different organizations, there are a number of core technologies that are designed to enable it, including:

1. Zero Trust Network Access: ZTNA helps set up a software-based perimeter that defines which data centers, environments or applications a user can access. It allows organizations to break down networks into smaller zones (i.e., micro-segmentation), which is an effective way to control the lateral movement of attackers.

2. Identity and Access Management: IAM systems help enforce least privilege access across the business, from users to contractors to customers. One can also enforce granular permissions that are based on the time and geolocation of users.

3. Secure Access Service Edge: SASE makes it easier to implement and manage zero trust because it packages technologies like ZTNA, firewall as a service, secure web gateway, cloud access security broker (CASB) and SD-WAN under a single console and managed service offering.

4. Security Orchestration, Automation and Response: SOAR helps analyze anomalous traffic and derives actionable information from siloed security tools. It helps automate manual security processes and improve response times.

How Can Businesses Get Started With Zero Trust?
To achieve zero-trust maturity, organizations must learn to walk before they can run. Below are some basic steps to kick-start the zero-trust journey:

1. Identify critical data, processes and services as well as sensitive data flows.

2. Formalize your plan, policies and framework to implement zero trust.

3. Identify and deploy tools that can help achieve your immediate zero-trust goals. ZTNA or SASE are recommended, as these can significantly accelerate your journey to zero trust.

4. Build micro-perimeters around sensitive data, applications or services, and implement access controls based on the principle of least privilege. Lock down remote access.

5. Continuously monitor your endpoints, gateways and sensitive data flows for vulnerabilities, weaknesses, signs of a potential attack, or breach and compliance failures.

6. Keep fine-tuning and tightening your zero-trust policies and controls as you learn about user behavior, security vulnerabilities and security incidents.

Gartner Inc. predicts that by 2025, 60% of organizations will embrace zero trust but that more than half will fail to realize its benefits. This is because the model isn’t just a shift from legacy perimeter-based security to advanced location-agnostic security; it also represents a shift from the legacy mindset of implicit trust to one that is focused on identity and context.

This is why it’s important for organizations to consider technologies like IAM, SASE and SOAR that are not only purpose-built around identity and context but can also provide end-to-end visibility and control across the entire enterprise.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


New starters beware: The new year comes with new cyber threats

When Bob received an email from his new company, he was eager to impress.

Just a couple of days into his new job, he received an email appearing to come from the head of HR, asking him to access important onboarding information via a link using his employee login credentials. 

Bob doesn’t realise that he’s entering his credentials on a phishing page, and the cybercriminal harvests these credentials and uses them for account takeover fraud. Just two days in and Bob has already fallen victim to an attack and put his new company at risk. 

This is just one example of how easy it is for new starters to fall prey to cyber criminals.

A new year often also marks new beginnings for employees, with many new starters beginning in a new company. This is an exciting time for employees and employers alike, but it also brings with it significant cyber threats that need to be effectively managed by everyone involved.

How new starter scams work

These cybersecurity threats and new types of scams can turn a dream new job into a nightmare within minutes.

New starter scams involve the targeting of new employees at a company with tailored, spoofed emails appearing to come from someone else within the business, usually a high-level manager or someone from human resources. 

The new employee will then be asked to do something, such as putting personal login details into a phishing page, appearing to be on the company’s website, or purchasing something apparently for the company.

If it is personal information, these credentials can then be harvested and used for account takeover fraud and potentially give the hacker access to the entire company’s networks.

This form of social engineering cyber attack is particularly effective as it is targeting a company where they are most vulnerable: new hires. These people are often not familiar with how the company operates and what will and will not be asked of them and are eager to please and complete tasks quickly. Cybercriminals also strike quickly, so the new employer may not have had a chance to provide cyber training. 

The pandemic has also accelerated the uptake of remote onboardings and beginning a job entirely digitally using a mix of an online company and collaboration tools, further increasing the threat level. As academics at the Queensland University of Technology found, the past-Covid work patterns have created a “bountiful environment for offenders to target potential victims effectively”.

Malicious online actors will often monitor LinkedIn and other social media sites to find people who have just started at a new company, to target as part of these types of attacks.

According to the ACCC’s Scamwatch, Australians lost more than $8.7 million as part of these scams and other recruitment-based attacks last year, with reports of more than 3000 of these scams.

How new starters and companies can mitigate the risk

For new employees, the first few weeks in a job should be marked with an exceedingly high level of caution and mistrust of any strange or suspicious contact, especially messages asking for login details, phone numbers or payments. They should be especially wary of any transactions relying on gift cards or cryptocurrencies.

New starters, or any employees for that matter, should never click on any suspicious links in these emails or attachments and should carefully peruse the email address and web address that they have been sent to make sure it is legitimate.

Hackers often find the necessary information for these scams from social media platforms like LinkedIn, so it’s important to make these platforms as private as possible to starve these groups of information and don’t accept any suspicious connection requests.

Companies have a crucial role to play in ensuring that their new employees don’t fall victim to these scams.

Education and awareness training should be provided to new starters from the very beginning, with lessons in how they may be targeted. New employees should also be empowered to question anything they see and to make contact with their higher-ups to flag concerns with anything, no matter how small it may be. This awareness should be a major part of any onboarding process, especially if this is conducted remotely.

Australian businesses should also have clear social media and device policies to help mitigate the risks of these scams and share the news widely of recent trends in these attacks.

Basic cybersecurity hygiene, such as firewalls, data segmentation and zero-trust frameworks, should also be employed to help with these risks.

A company is only ever as cyber-safe as its weakest link, and unfortunately, this weak link is often in the form of a new employee. But there are many simple, cost-effective steps that everyone involved can take to mitigate these risks and ensure that a new job is as exciting as it should be and doesn’t lead to a cyber nightmare.

Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.


5 strategies for boosting endpoint management

How should CIOs and other IT leaders respond to evolving cyber threats? Here are five tips.

Cloud architectures and remote workforces have effectively dissolved the network perimeter, the traditional line of defense for IT security. Lacking that decisive boundary, the work of security teams has changed. Now to guard against data breaches, ransomware, and other types of cyber threats, protecting network endpoints is more important than ever. 

But protecting endpoints is a priority with a massive scope. Endpoints encompass everything from employee laptops, desktops, and tablets to on-premises servers, containers, and applications running in the cloud. Endpoint security requires a comprehensive and flexible strategy that goes way beyond what security teams relied on a decade or more ago. Then IT assets were nearly all on-premises and protected by a firewall. Those days are over.

Ransomware continues to evolve

Ransomware continues to be a major threat to organizations of all sizes. After declining for a couple of years, ransomware attacks are on the rise again. They increased 23% from 2021 to 2022. 

Not only are attacks more frequent, they’re also more disruptive. In 2021, 26% of attacks led to disruptions that lasted a week or longer. In 2022, that number jumped to 43%.

On average, each of these attacks cost its victim $4.54 million, including ransom payments made as well as costs for remediation. As bad as these numbers are, they’re poised to get worse. That’s because in the past year, attackers have adopted new models for extorting money from victims.

Business email compromise attacks

Another prevalent form of attack is business email compromise (BEC), where criminals send an email impersonating a trusted business contact, such as a company CEO, an HR director, or a purchasing manager. The email, often written to convey a sense of urgency, instructs the recipient to pay an invoice, wire money, send W-2 information, send serial numbers of gift cards, or to take some other action that appears legitimate, even if unusual. If the recipient follows these instructions, the requested money or data is actually sent to the criminals, not the purported recipient.

Between June 2016 and December 2021, the FBI recorded over 240,000 national and international complaints about BEC attacks, which cumulatively resulted in losses of $43 billion. Ransomware might make more headlines, but BEC attacks are 64 times as costly. And they are becoming more frequent, increasing 65% between 2019 and 2021.

“Endpoint monitoring won’t stop a BEC attack,” explains Tim Morris, Chief Security Advisor, Americas at Tanium. “But it might tell you a little more about the person who opened the email and what they did with it. Context can give you the clues you need for determining whether the attack is part of a broader campaign, reaching other recipients with deceptive messages.”

Practical tips for endpoint management

How should CIOs and other IT leaders respond to these evolving threats? Here are five tips.

Treat endpoints as the new network edge.

With so many people working remotely and 48% of applications running in the cloud, it’s time to recognize that the new line of defense is around every endpoint, no matter where it is and what type of network connection—VPN or not—it’s operating with.

2. Identify all devices connecting to the network, even personal devices not officially authorized.

“You can’t secure what you can’t manage,” says Morris. “And you can’t manage what you don’t know.” Security Operations Centers (SOC) need to know all the endpoints they’re responsible for. Audits of enterprise networks routinely find endpoint management systems miss about 20 percent of endpoints. SOC teams should put tools and processes in place to ensure they have a complete inventory of endpoints and can monitor the status of endpoints in real time.

3. Patch continually.

Patching has always been important to ensure endpoints have access to the latest features and bug fixes. But now that software vulnerabilities have emerged as a major inroad for attackers, it’s critically important to ensure patches are applied promptly. Organizations can’t hope to respond to supply chain attacks like Log4j without putting in place automated solutions for software bills of materials and patching.

4. Drill.

Once you have a cybersecurity plan, a cybersecurity toolset, and a trained staff, it’s important to practice hunting for threats and responding to attacks of all kinds. It’s helpful to take a Red Team/Blue Team approach, assigning a team of security analysts to break into a network while another team tries to defend it. These drills almost always uncover gaps in security coverage. Drills also help teams build trust and work together more effectively.

5. Get endpoint context.

When attacks occur, it’s important to respond as quickly as possible. To respond effectively, security teams need to understand what’s happening on affected endpoints, no matter where they are. Which processes are running? What network traffic is taking place? What files have been recently downloaded? What’s the patch status?

Analysts often need answers in minutes from endpoints thousands of miles away. And they don’t have time to install new software or hope the remote user can help them set up a connection. Security teams need to have a system already in place for analyzing endpoints and collecting this data, so that when any type of attack occurs—even attacks like BEC attacks—they can collect the contextual information needed for understanding what happened and what threats remain active.

Cyber threats are becoming more prevalent, more sophisticated, and harder to identify and track. For more tips—five more in fact—on how to reduce the risk of cyberattacks and ensure that when attacks occur, they can be contained quickly and efficiently, check out this eBook.


MPs want annual national-security reports, aid for businesses to thwart cyber threats

OTTAWA — A committee of MPs is calling on the federal government to issue an overarching annual national-security threat assessment and provide more information on how to prevent cyber attacks, particularly from Russia.

OTTAWA — A committee of MPs is calling on the federal government to issue an overarching annual national-security threat assessment and provide more information on how to prevent cyber attacks, particularly from Russia.

“Concern about Russia is heightened because it has shown a willingness to cross internationally recognized red lines,” reads a report from the House of Commons committee on public safety.

The report, tabled in Parliament last week, argues that the various agencies and committees handing national security issues operate in silos, and a patchwork of reports come from different sources.

The MPs want someone in government to gather those recommendations and create an annual priority list, as is done in Washington. They say this should start with a review of the various “cyber roles, responsibilities, and structures that exist across the federal government” in order to “maximize coherence, co-ordination, and timely action.”

The committee heard about malware and cyber attacks originating from Russia that have affected Canadian firms, such as the NotPetya attack in 2017 and the 2020 SolarWinds Orion hack, which Global Affairs Canada said compromised more than a hundred Canadian entities.

The MPs feel Canada could do more to prevent these attacks on government agencies as well as private companies, in part by compelling mandatory reporting.

They noted there are few obligations for firms to report cybersecurity incidents that don’t involve a data leak. Last October, the then-head of the Communications Security Establishment, Caroline Xavier, testified that “many organizations don’t report it” when they get hacked.

Witnesses also said that critical infrastructure operators have lax rules compared with European and American counterparts. They also said some fields like port operators lack clear reporting timelines on preventive cybersecurity measures.

The committee wants the CSE to better inform smaller businesses about how to prevent cyber attacks and to provide tax breaks for companies to better protect their data.

Witnesses noted that hackers tend to focus on larger targets, but smaller firms lack protection.

The non-profit Canadian Cyber Threat Exchange reported in May 2022 that 44 per cent of small- and medium-sized enterprises that are members of the organization lacked “any form of cyber-defence” and 60 per cent of these smaller firms had no insurance for cyber attacks.

The committee suggested the government should compel companies of enough importance and size, as well as government bodies, “to prepare for, prevent and report serious cyber incidents” with clear timelines and a lessons-learned exercise after a hack.

MPs also noted calls from witnesses for better co-operation with the U.S. on cyber attacks to critical infrastructure, similar to the binational North American Aerospace Defence Command, or Norad.

Yet the committee did not recommend Canada follow Britain in tying procurement with cyber protection, such as requiring firms to have basic protection against hacking in order to compete for government contracts.

The report also proposes the government work with internet service providers and social-media platforms “to counteract online bots that are amplifying state-sponsored disinformation” from Russia, and to report to Parliament on those efforts annually.

The committee said Ottawa should support Russian dissidents and journalists, such as by funding media outlets or offering refuge to academics and technology workers.

The MPs want Ottawa to speed up the modernization of Norad and to consider compelling financial planners to divulge guidance they’ve offered to people sanctioned by Canada on how to avoid the impact of those restrictions.

They also called for the creation a foreign agent registry, although the federal government is currently consulting the public about such a move. They noted criticism that thresholds for law enforcement to probe such activity are too high, and that this may be why few have been prosecuted.