Raoul Hira, CISSP, shares his experiences of how zero trust principles can bolster cyber maturity and establish a robust defense in depth strategy, with a focus on mitigating the new risks posed by remote workers.

Raoul Hira, CISSPAs digital landscapes evolve and the workforce becomes increasingly dispersed, the need for robust cybersecurity frameworks like zero trust has become undeniable. In my two decades of working across the globe, I've seen the shortcomings of traditional security perimeters firsthand. Zero trust is not just a strategic option in these times, it's a critical necessity.

Zero trust is based on the premise that trust should not be automatically granted, whether inside or outside an organization's perimeter. This concept became particularly clear to me while consulting for a multi-national organization where an insider threat was identified, undermining the then-prevalent perimeter-based trust model. The experience highlighted the importance of verifying everything trying to connect to an organization’s systems – a fundamental principle of zero trust.

Improving Cyber Maturity with Zero Trust

Cyber maturity describes an organization's readiness to manage and mitigate cybersecurity risks effectively. Zero trust significantly enhances this maturity by introducing stricter access controls and continuous verification mechanisms, critical in today’s environment where traditional boundaries have dissolved.

Here are some ways in which zero trust contributes:

  • Minimized Attack Surface: By strictly controlling access to authenticated and authorized users and devices, zero trust reduces the number of vulnerabilities that can be exploited. I witnessed its effectiveness firsthand, when we transitioned a client from a breach-prone network to a zero trust architecture, reducing their security events and incidents by more than 80%
  • Enhanced Visibility and Control: Under zero trust, every action on a network is logged and monitored. During an implementation at a retail giant, this led to the quick detection and mitigation of an attempted data breach that originated from a seemingly benign source
  • Adaptive Security Posture: The dynamic nature of zero trust policies allows them to adapt to the changing threat landscape and organizational needs. This adaptability was crucial during a project I worked on, during which rapidly changing user roles during a merger required flexible access controls

Addressing Remote Worker Risks with Zero Trust

The shift to remote work has expanded traditional security perimeters and introduced vulnerabilities that are less prevalent in controlled office environments. In my experience, remote work settings often lack rigorous security measures, making them prime targets for attackers.

Implementing zero trust can effectively mitigate these risks, through:

  • Secure Remote Access: We enforced strict authentication and conditional access in a project for a technology organization, which proved critical when an employee attempted access from a compromised network
  • Regular Device Assessments: Ensuring that devices meet security standards before accessing the network is crucial. In one case, a routine check prevented a malware-infected device from connecting to critical infrastructure
  • Segmented Access Control: Implementing granular control of what workers can access based on their specific needs helps minimize internal threats even if those workers are on the internal network. This was a game-changer for a client which had previously experienced a serious data leakage due to over-privileged access

Implementing Defense in Depth with Zero Trust

Defense in depth is a strategy that involves multiple layers of security controls. Zero trust enhances this approach by adding foundational layers that ensure security measures are not solely dependent on perimeter defenses:

  • Layer 1: Identity Verification:Rigorous authentication of every access request, especially from remote workers
  • Layer 2: Device Security: Managing the security status of devices accessing the network
  • Layer 3: Network Segmentation: Limiting lateral movement within the network
  • Layer 4: Data Protection: Applying data-centric security measures like encryption and tokenization

Case Study: Implementing Zero Trust in a Hospital

The healthcare industry faces more data breaches than any other sector. In this example, a regional hospital which we will not name, with approximately 400 beds and multiple local clinics, faced escalating cyber threats due to the increased use of remote access and a network spread across multiple buildings, along with legacy vulnerable operational technology (OT) in the form of medical devices. Recognizing the need to bolster its cybersecurity, hospital management opted for a zero trust approach.

I led the project, which began with a thorough assessment of their existing infrastructure. We implemented strict identity and access management protocols, ensuring that only authenticated and authorized users could access sensitive patient data and critical systems. Each device connecting to the network underwent rigorous health checks to meet security standards, including deploying up-to-date antivirus software, encryption or implementing compensatory controls for OT such as medical devices that do not have fixes for vulnerabilities or cannot be updated due to constant use and the impact on patients.

We also segmented the hospital's network, isolating critical systems and sensitive data from less secure parts of the network. This prevented potential lateral movement in the event of a breach. Continuous monitoring and detailed logging of network activities enabled swift detection and response to any suspicious activities.

The result was a significant reduction in cybersecurity incidents and enhanced protection of patient data, ensuring compliance with healthcare regulations and maintaining the trust of patients and staff alike.

Conclusion

Adopting zero trust principles enables organizations not only to protect against current cyber threats but also to adapt to future challenges. It ensures that cybersecurity practices are as dynamic and resilient as the digital landscapes they operate within, especially in managing the additional complexities introduced by the shift towards remote working.

Raoul Hira, CISSP, has 20 years’ experience in finance, energy, pharmaceuticals, life sciences, retail and government. He has held technical and management roles, with responsibility for developing cyber risk assessment methodologies, secure architecture and cyber transformations.