Protecting yourself, your company and your data from the vulnerabilities of connectivity is no longer an option, but an imperative.
By Peter Oggel, Chief Technology Officer, Irdeto
In medieval times, rulers would dig a deep moat around their castle walls. At night, the drawbridge would be raised, and anyone inside the castle walls would be protected effectively from intruders. Perimeter security on your company’s systems and connected devices is a bit like those moats. It’s not going to protect you from modern hackers who can sneak into your system undetected, or can disguise themselves as your employees. That’s why a Zero Trust Architecture is the only way to protect anything that is connected to the internet – whether your existing internal systems or your new connected devices.
Protecting yourself, your company and your data from the vulnerabilities of connectivity is no longer an option, but an imperative. The ever-growing number and intensity of cyberattacks makes it mandatory for organizations to take a hard stance: every person, every application and every device must require constant verification and authorization to enter. Start to finish, at every step of the process.
Trust no one and nothing
The increasing sophistication of cyberattacks compels companies to take a much deeper look at who’s in their systems, and what they’re doing there. This starts with multi-factor authentication and levels of authorization that determine what information the person can access, once identified (segregation of duty). Before any type of connected communication is permitted within your system, you must be able to identify who the user is, what they’re allowed to access, and how they’re allowed to access it.
Next, you must enforce strict controls to manage breaches when they occur. Perhaps most importantly, only constant and automated monitoring and adjustment of your security posture will help you stay ahead of the rapidly adapting hacker behavior. As hackers evolve their attack techniques, your security systems must adapt alongside them in a fully automated fashion.
Protect every device, everywhere
How big is the scope? Pretty big. Basically, any device that has an IP address needs to be protected with Zero Trust Architectures. For example, non-connected cars can safely and effectively use IT technologies to enable communication between the driver, the controls and the engine. The computer ‘knows’ that all the signals are coming from inside the car. But in connected cars, a remote hacker could be in control of the gas pedal and the brake. The difference is connectivity – and it can be both a blessing and a curse.
The more connected we become, the more complex the situation gets. Today, anything that can be accessed remotely is vulnerable to attacks. From medical devices and smart thermostats to data centers and movie production studios. And the bigger the value of the target, the more motivated a hacker is to crack it.
Your weakest link, your biggest asset
When it comes to security, the majority of companies struggle with the same dilemma: people are often the weakest link in the security chain. Sometimes, that email link or ‘special offer’ is just too enticing to resist. Even though their gut may be telling them it sounds too good to be true, they simply can’t help themselves: they have to click and see for themselves.
But that intrinsically human ‘gut feeling’ can also be your company’s biggest asset. If you constantly train and remind your people of your Zero Trust policies, they will be even more vigilant and suspicious of anything that even looks slightly out of the ordinary. Pure intuition can help stop attacks and sound the alarm, simply because they are constantly reminded that Zero Trust is part of your company culture.
Irdeto is certainly not immune to attacks. After all, countless hackers around the world would do it simply for the bragging rights: “I took down the cybersecurity experts.” In just the past year, one employee’s human intuition protected us from unthinkable invasion. And another employee’s human error nearly enabled another. But because of the multiple levels of protection and multi-factor authentication protocols of Zero Trust, our systems remained protected. Still, we never stop monitoring and improving. And we never stop reminding our colleagues of the importance of vigilance.
Make it all easier
The great news is, as multi-factor authentication matures, it gets easier to use and less intrusive. And the easier and less intrusive identification becomes, the more layers of verification we can add to security systems, and thereby protect systems with millions of invisible moats.
Soon, there will be no need for passwords at all. Systems will use ‘voice or behavior DNA’ to authenticate a user’s identity. The system will be able to distinguish between the actual person’s voice and a deep fake. Biometric identification, like fingerprints, will become more prolific. And mobile technology’s motion sensors and gyroscopes will be able to identify you from your patterns of movement, your walking cadence and the way you hold your phone. So, if you happen to lose your unlocked phone, the system will know someone else has picked it up. The same multi-DRM systems that protect video entertainment can also protect connected cars. A policy-based management system and multi-factor authentication will ensure that no one drives the car unless they are authorized to do so. It can even enable user-specific controls.
Need to be convinced that there’s no time to wait to work on your Zero Trust Architecture? Just look around. Every single day, all over the world, we find cases of invasion that Zero Trust may have prevented. And the price of ‘waiting and seeing’ if it happens to you is simply too high. So, start going through your business from top to bottom and review every connection point, every potential target, and every possible threat. Prioritize your list based on the impact of a breach, and get to work. Called attack modelling and a cybersecurity risk register, this prioritized list should guide your immediate and ongoing action for cybersecurity. And it should be constantly updated. After all, something that’s only a mild threat today, could very easily be a major threat tomorrow.
The register will also enable you to invest in the right security at the right time, and evolve your security structures over time. And remember: AI and ML are enabling automated cyberattacks. Be sure to use the same technology to create automated protection. Otherwise, you’re just bringing a knife to a gunfight.
The newer, the better
There are certainly plenty of opportunities to ensure that any new devices or systems you build have the best protection possible. This starts with Security by Design: every new product should be built with the necessary security elements and ability to upgrade them. After all: you must plan to keep your devices fully secure for their entire lifetime, from the cradle to the grave. And given the rapid pace at which attacks are developing, you can safely assume that the security measures you put in place in the initial design of your device will already require an update by the time your product is ready for launch. Hackers never sleep, and neither should you.
Five tips for Zero Trust
When designing your Zero Trust Architecture, there are a few general principles you should always keep in mind.
- Pirates and hackers are fairly lazy. The more difficult you make it for them to crack your system, the sooner they’ll give up. That’s why multiple layers of protection, and extra protection for your most valuable assets, are essential.
- You should never assume anything. Establish and verify trust for every person, every interaction, every device and every connection. The only secure solution is one in which no one is trusted until they’re verified.
- The less noticeable your multi-factor authentication is, the better. Use the latest technology to make passwords obsolete and give authorized users the feeling they have seamless access. If authentication is too difficult or cumbersome, it will only increase the likelihood that your employees will take shortcuts that leave your system vulnerable.
- Make your people alert, and keep them alert. Security training should never be a one-off event. Everyone in your organization should have a clear and frequent reminder of your security protocols and the reasons for them.
- Think in layers. Your employees are human, and humans make mistakes. It’s just a fact. Layers of protection and authentication points can be your best friend. That way, if someone accidentally leaves the front door open, your precious valuables are still locked safely away in the company vault.
About the Author
Peter Oggel, Chief Technology Officer, Irdeto. Peter joined Irdeto in May 2009 and is currently Chief Technology Officer at Irdeto. He is a seasoned ICT and telecommunications industry executive with over 20 years of international experience and a consistent track record. Prior to joining Irdeto, Peter founded and served as the Managing Director of Smile Telecom, a start-up that pioneered WiMAX technology while launching an operational mobile service provider (MVNO) and fixed line service provider (VOIP) in the Netherlands.
Before he founded Smile Telecom, Peter was a Vice President at LogicaCMG where he held management positions in Strategic Sales, General Management, Operations and R&D, and was instrumental to the success of LogicaCMG’s mobile messaging and data solutions. Prior to joining LogicaCMG, Peter worked at different positions in Fintel S.A. and Digital Equipment Corporation in Switzerland and France. Peter holds a Bachelor of Science degree in Technical Physics from the Technological University in Eindhoven (the Netherlands).