Where did my castle go?
Once upon a time, people trusted everyone, and the rare individual was a thief. Most left their doors unlocked. Shop keepers could set up anywhere and leave their shops unlocked without worrying about someone plundering their goods. If someone said they were in need, they really were. You could transact business leisurely (snail mail), and if a letter came that had Aunt Sally’s return address on it, you could be sure it was from her.
But things changed. Ne’er-do-wells increased. More businesses were attacked. Financial losses increased and trust decreased. The solution seemed to be to retreat behind the walls of the castle. Surely with high, sturdy walls and only a few ways in and out, we would be safe. For a relatively short while, that worked. Unfortunately, as businesses changed, more doors were needed in the castle. Companies decided that 24 hours were needed for conducting business, so the doors were open all the time. Added to that, the brigands on the outside found ways to convince the innocents on the inside to do things that resulted in harm to the businesses, and to them personally. Even inside the castle, no one was safe anymore. Trust became a rare commodity.
No More Hiding Behind Castle Walls
The castle metaphor is no longer relevant for business. Closing off the outside world and letting just a few things in and out was somewhat workable in the early days of the internet and electronic transactions, but as companies started to sell around the world 24/7, business needs changed. A lot of information needed to be exchanged, and customers became accustomed to constant connection and data availability. This led to a flood of information moving in and out of the enterprise.
As with any flood, undesirable things get swept in as well. Determining what is good and what is bad became very difficult. Phishing attacks have increased in volume and sophistication. Ransomware and data theft are increasing. Who can you trust? The short answer is no one. This means that businesses are going to have to undergo a radical shift in thinking when it comes to security. One approach that seems to have promise for the future is the Zero Trust model. Microsoft has this definition:
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Micro-segmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time.
Trust Nobody?
CSOonline.com points out perhaps the most difficult part of going to a zero-trust model:
“Most organizational IT experts have been trained to implicitly trust their environments. Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment,” he explains.
Because Zero Trust relies heavily on micro-segmentation of the network, the article points out that “the ongoing work required with the micro-segmentation approach could lead to a lot of Band-Aids and that can make networks more brittle.”
The landscape for business is changing as the flow of data increases and the users become more used to the idea of constant connection and universal data availability. So, while the castle might still be there, the walls are full of holes and will eventually be gone altogether. In the meantime, as users of the internet, the burden falls on us to forget the castle and adopt a Zero Trust way of life. If you think that is extreme, just consider these stats from Norton for the first 6 months of 2019:
• 3,800: The number of publicly disclosed breaches.
• 4.1 billion: The number of records exposed.
• +54%: Increase in number of reported breaches vs. first six months of 2018.
As users, whether in the castle or at home, we need to be alert to scams, phishing, and outright attacks on our data. IoT devices like door bells, ovens, routers, and others (baby monitors, anybody?) are being compromised and allowing innocuous devices to play a part in DDoS attacks and spam/phishing campaigns. This only happens because we let our guard down and get compromised. Trust no one and verify everything. Keep your guard up and your castle secure. If you don’t know how, get with a trusted advisor like Ashton to point you in the right direction.
If you’re looking to better secure your network, protect your data, and educate your users, give Ashton Technology Solutions a call at 216 397-4080.