Statistics provided by the IBM Cost of a Data Breach 2022 report with collected information from 550 organizations impacted by data breaches states that:
- Stolen or compromised credentials was the most common initial attack vector in 2022.
- The longest mean time to identify and contain a breach was caused by stolen or compromised credentials at 327 days.
- $4.50 million was the average cost of a breach caused by stolen or compromised credentials.
These statistics show why identity has become one of the more critical components to protect within a cybersecurity program. As we continue to shift more towards a cloud and hybrid work environment, Identity has become the new perimeter vs the traditional Network layer protecting a data center and office model. Identity compromise can occur in many ways and some of the more common approaches include password guessing, brute force attacks, password re-use, password sharing, social engineering techniques such as Phishing, stolen credentials, and more. If there are no additional controls in place, a compromised identity will allow a threat actor to quickly penetrate and laterally move through your environment to exfiltrate data and potentially deploy ransomware to cripple your operations.
Adopting Zero-Trust Architecture
For this reason (and many others), we need to adopt a zero-trust architecture, multi-layered security approach within our cybersecurity programs. But a concerning statistic from the same IBM Cost of a data breach 2022 report referenced above states that only 41% of organizations who participated in the study currently deploy a zero-trust architecture model. And those that don’t deploy a zero-trust architecture will incur a much greater breach cost with an average addition of $1 million. Clearly, as a community, we have a lot of work to do.
The Six Pillars of Zero-Trust
Referencing the Microsoft zero trust strategy, there is a focus on six uniquely relevant pillars:
- Identities are the new perimeter. An identity is something that needs to access an app, data, or some other form of resource.
- Device and endpoint protection is an essential component of zero trust. This includes mobile devices, laptops, servers, virtual desktops, IoT, OT, and so on.
- Data is at the core of the zero-trust model. It is ultimately data that the intruders are looking to exfiltrate from your environment. This is the true asset that needs to be protected.
- Applications and application programming interfaces (APIs) are gateways to your data. They need to be governed and deployed with best practices to prevent unauthorized access to data.
- Infrastructure pertains to everything within your environment that provides the means to store your data and/or run applications such as servers, VMs, appliances, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
- Network is a medium where your data travels. Once considered the perimeter for defense, this pillar still holds a critical role as part of zero trust to ensure all data is encrypted during transport, next-generation protection is deployed, micro-segmentation is in place, and more.
Each of these pillars requires multiple technologies and invested time to accomplish a zero-trust architecture model. In addition, there will be no end goal with this journey. A zero-trust architecture model is a strategy that will continue to evolve. As threat actors find new ways, there will be a need to continue to improve the posture of our cybersecurity programs.
How do we manage identity?
Focusing on the Identity pillar, it is important to have additional controls and detection beyond the traditional approach of a username and password and even standard multi-factor authentication (MFA) as this alone will not prevent a threat actor from compromising your environment. To do this efficiently, multiple technologies will be needed to better prevent compromise from a user’s identity. Technologies should include adopting a cloud-based directory for authentication, a centralized identity store for your users, implementing identity protection, enabling the use of biometrics, only allowing 12+ character passwords, enforcing strong type multi-factor authentication (moving away from phone, text, and push notifications), adopting passwordless with FIDO2 standards, controlling access based on location, trusted devices, and low risk users, etc., providing password vaulting capabilities, enabling Single Sign-On (SSO) where applicable, blocking legacy authentication, using least privilege principles and role based access control (RBAC), implementing Privileged Identity and Access Management (PIM and PAM) and Just-In-Time (JIT), and leveraging modern B2B/B2C capabilities for contractors, suppliers, and customers.
Ideally, you want to strategize with fewer vendors to keep the attack profile smaller and reduce the risk of having to manage multiple suppliers. This will also simplify your architecture by reducing integration points. You will also want to look at cloud first technologies that allow you to leverage greater resources and maintain the latest releases at a much faster pace than traditional on-premise technologies. Looking at Microsoft solutions as part of your identity strategy, you will be able to deploy most of the capabilities (with the correct licensing) referenced above as part of your zero-trust architecture strategy for identity. It is not easy keeping up with Microsoft’s continuous re-branding and name changing of its products, but the latest branding for its identity technology is now known as Microsoft Entra.
Putting Zero-Trust into Practice
With Microsoft Entra, you have several areas that includes identity and access management, entitlement management, identity verification solution, digital asset security, identity governance, and more. Within these areas, some of the more important tools that should be assessed to provide improved security posture include the use of Azure Active Directory, Microsoft Defender for Endpoint, and Microsoft Defender for Identity. To further pinpoint specific technologies that will decrease your risk of identities being compromised or used to compromise your environment, you need to invest resources to deploy strong MFA with a road map towards passwordless, leverage conditional access and enable privileged identity management. These are very powerful tools when setup and used correctly.
As you can see, zero-trust architecture is a very powerful tool to reduce risk within the enterprise. If you aren’t adopting a zero-trust architecture, you need to add this to your strategy today. In addition to Microsoft’s zero-trust architecture, you will find other suppliers with their own variance of this model with guidance on how to adopt. Some additional notable references to review include both the NIST and CISA zero trust architecture models.
