Bryan Christ, Hitachi-ID Systems: “trust nothing, secure everything”
In light of accelerating cybercrime, businesses are growing more cautious about their passwords, clicks, and digital defenses, leading to the global adoption of Zero Trust security.
A Zero Trust approach is based on the “check everything” policy, where organizations must verify and conduct checks before granting access to any data and resources in their organization. This goes both for internal and external environments. Generally, Zero Trust is a great way of preventing data breaches, but not all enterprises have yet switched to that strategy yet.
Bryan Christ, a sales engineer at Hitachi-ID Systems, discussed with us why adopting a Zero Trust approach is an essential move forward for online security, as well as why some companies are still hesitant to follow through with it.
Since Hitachi ID ensures security for various industries, what are the most common vulnerabilities you run into in each field?
Hitachi ID focuses on security for a number of industries – including higher education, financial services, and healthcare – and interestingly, the attacks bad actors employ often follow a predictable pattern regardless of vertical. The two most common vulnerabilities we see are privileged accounts that are not vaulted and randomized, and a lack of multifactor authentication (MFA). Default master passwords are increasingly becoming an easy entry point when they’re not consistently modified. If administrative passwords that control core infrastructure, such as servers, aren’t routinely changed, they become more likely to be attacked. This proved to be the case in the disastrous SolarWinds attack last year.
Meanwhile, MFA protects against phishing – the number one way bad actors hack into organizations. Phishing is typically done through campaigns that look like this: a fake email address, that looks like (but isn’t) an existing employee’s, contacts another person at the organization, prompting them to open a link or respond. If the attacker is able to garner an employee's password, and there are no other factors of authentication, they have gained a foothold.
As organizations start building increasingly complex cybersecurity infrastructures, it’s also important to remember the basics. Sometimes, changing your password and implementing MFA is all it takes to protect a million-dollar organization.
You put a lot of emphasis on Zero Trust security. Could you tell us more about its key principles?
IT environments have become more fluid, open, and, ultimately, vulnerable. As a result, more companies are relying less on conventional methods such as VPN to keep their networks secure. Zero Trust is a security approach that addresses these new network realities by trusting no one.
Traditional approaches to cybersecurity rely heavily on an outdated model which overemphasizes the perimeter. With growing networks of users, devices, and applications, threats are just as likely to come from within the boundary: internal threats can be as high as 50%, depending on your industry. Organizations are beginning to recognize the reality that there are no longer any truly closed systems. Many gravitate to Zero Trust to mitigate risk from cyberattacks from multiple entry points (including internal).
Micro-segmentation, software-defined perimeters, and enhanced identity governance are three approaches that NIST identifies for implementing a Zero Trust architecture (ZTA). But while implementing Zero Trust is the gold standard, it is important to keep in mind that Zero Trust is a journey, not a destination – and it can take time. Companies can get there by following these principles:
All three ZTA methods are rooted in these foundational principles. Each specific approach lends its strengths to some use cases more than others and is not mutually exclusive.
In your opinion, why are more companies taking the Zero Trust approach?
With the rising number of cyberattacks we have witnessed over the last 12 months, coupled with the security concerns brought about by the uptick in remote work during the pandemic, the organizational imperative to adopt a Zero Trust architecture has become more pronounced. Executives are realizing that cybersecurity is evolving. Now, attacks are so dynamic and diverse that a Zero Trust Architecture is necessary for organizations to defend against breaches before they happen.
The philosophy of Zero Trust has been gaining momentum in recent years and has become more practicable as technologies and tools built on its framework become mainstream. Industry drivers such as President Biden’s recent Executive Order calling for Zero Trust models in the private sector and rising cyber insurance costs have also led to the increased demand for digital transformation in cybersecurity and the adoption of Zero Trust.
Have you noticed any new threats as a result of the pandemic?
The pandemic directly increased the expansion of the remote and hybrid workforce – and that really challenged the security industry to establish best practices. This expansion drove organizations to frantically make changes like migrating to SaaS applications and the expanded use of virtual desktop infrastructure (VDI) environments. This uptick in SaaS adoption and VDI use also resulted in more public-facing logins, and thus, a larger attack surface for hackers.
Interestingly, with these changes, we also saw an increase in the solicitation of executive and C-Suite employees for a percentage of theft royalties. Coercing an employee to plant malware on their internal networks greatly simplifies the attack process and introduces a new challenge for organizations. This includes things like cybersecurity education campaigns and awareness of suspicious or atypical employee behavior.
There has also been a rise in ransomware-as-a-service – which is when an attacker (typically state-sponsored or organized crime) pays a fee to an organization like REvil or DarkSide. For users who may not have the technical skills to execute such an attack, this provides a path forward.
You provide both Identity & Access Management and Privileged Access Management. However, these terms are often confused. Could you explain the main differences between the two?
Identity and Access Management (IAM) is the framework that ensures the right users have the appropriate access within IT systems. Privileged Access Management, a subset of IAM, manages the accounts that have elevated permissions to critical resources.
The number of companies affected by cyberattacks grows exponentially, yet, according to your recent survey, a large number of organizations take action only after an incident occurs. Why do you think people are reluctant to keep up with online security?
The short answer: people are reluctant to keep up with online security because of financial investment. In our last survey with Pulse, we learned that 100% of IT executives believe discovering and mitigating identity and access threats is a pain point for their IT department’s resources. But, IT needs buy-in from the C-Suite, HR, change management, and other departments to invest time and money into championing a Zero Trust initiative. It’s a long-term commitment that includes building a team, conducting a gap analysis, prioritizing which risk factors you’re going to tackle first, setting KPIs, and managing the deployment.
What safety practices can businesses implement to avoid threats before it is too late?
Credentials and privileges, like passwords, are the keys to the kingdom. A proactive approach of locking down data and access management from the inside out is the only way to avoid threats.
Static and locally stored passwords are often a significant part of any breach -- and organizations need to implement privileged access management to combat these risks. Looking beyond static passwords, utilizing multi-factor authentication (MFA) and single sign-on (SSO) will significantly reduce threat levels by preventing bad users from gaining a foothold in the organization. Additionally, allowing users the minimum access necessary to perform a specific job through just-in-time access (JIT) and randomized privileged account passwords protects organizations from cyberattackers.
Smart password management and privileged protection ultimately lead to the gold standard: a Zero Trust architecture.
According to your website, 40% of enterprises will have adopted Zero Trust Security by 2023. How do you think cyberattacks could change when the majority of businesses implement this safety measure?
Current modern encryption is based on the principle that it is “computationally infeasible” to decrypt. While that is true today, hardware manufacturers are making significant strides in computational capacity, particularly with advancements in quantum computing. At a high level, quantum computing uses specialized hardware and software to process large numbers of simulations more quickly than conventional computers – which could open up new doors for advanced attacks. But we aren’t facing doomsday just yet. As the relative immaturity of quantum technology gives us time to prepare for the future, security defenders like Hitachi ID will be there when the time comes.
Share with us, what’s next for Hitachi ID?
In the short term, we want to continue to hone in on frictionless user experience. We are confident in the functionality of our technology, but next, we want to continue to work on creating an experience that reduces complexity for the end-user and risk for the organization. In the longer term, we want to build on our predictive analytics capabilities – applying them to the technology and security landscape.