Zero trust for insider access

If you’re in the cybersecurity field, chances are you’ve heard of the castle-and-moat strategy of securing sensitive systems. This strategy focuses on securing the castle (or sensitive system) from external threats while placing minimal controls on trusted insiders. The core hypothesis is that internal users are trusted, while external parties represent a more dangerous and damaging threat. Unfortunately, limited controls on insider accounts have resulted in numerous breaches, such as when insiders leverage existing privileges to exfiltrate data or when an external attacker gains access to an insider account (possibly through phishing) and leverages those privileges for malicious activities. As a result, organizations are increasingly applying similar controls to insiders that were once limited to external parties. One specific cybersecurity concept that is gaining popularity is zero trust. Zero trust at its core assumes that no user is trusted (whether that’s an internal or external user). Users of all types — internal, external, executive, third party, high-clearance or entry-level — are considered a possible threat, and the actions those users can perform and the resources the users can access on a network should be limited by default. Zero trust network access (ZTNA) specifically limits which sensitive systems a user can access and is implemented with various security controls, such as multi-factor authentication, least privileged access, access and employment verification and attestation, credential vaulting and detailed auditing. When these controls are applied to both internal and external users, an attacker’s ability (i) to gain access to a sensitive system or (ii) leverage access to one system on the network to access another is drastically reduced. It’s important to remember that there are inherent trade-offs between a system’s security posture and how much friction the added security controls introduce. When security controls reduce productivity drastically, business leaders may demand the newly introduced security controls are discarded, potentially introducing long-term organizational risks. However, if the controls are designed with user productivity in mind, ZTNA and other similar controls can reduce breach risks while minimally impacting user output.

Why should organizations be concerned of insider threats?

At first glance, it might seem like employees (or internal users) should be the most trusted users accessing a network or system. After all, the organization hired them! Human resources conducted a background check, spoke to their references, met them in person and willingly offered them a position at the company. As part of their job, these internal users require access to sensitive systems to perform their duties. Alas, the insider threat is real. Insiders’ accounts have been abused, such as when employees take advantage of their internal access privileges to access restricted information, when attackers compromise accounts to perform malicious acts or when human error occurs. No matter the reason, the insider threat needs to be managed, as the damage that could be caused can be as costly as an external attack.

How to accomplish internal access security

While employees are mostly well-behaved, breaches and other attacks may still occur by accident due to employee negligence or phishing. Given these risks, it is best to consider controls to minimize the breadth and scope a breach can take. The zero trust security controls outlined at the beginning help reduce organizational risks. While zero trust network access is usually associated with protecting against outside threats, it’s clear that the principles can and should align with insider security measures as well.

  • Multi-factor authentication (MFA) helps verify the identity of the user who’s trying to access the system. Once an employee enters their password into a system (i.e., something the employee knows), a second verification is required to ensure their identity, often using something the employee has, such as a phone or token.
  • Least privileged access involves restricting access down to the most granular level, meaning employees should have access only to the systems, servers or applications needed to do their job and nothing more. Least privileged access is accomplished using privileged access management (PAM) or identity access management (IAM) systems that help manage each employee’s access permissions.
  • Storing credentials and protecting login information is an essential step in securing internal access. Also, human error and leaked credentials tend to go hand-in-hand — most of the time, employees won’t know that their passwords have been stolen until it’s too late.

Another best practice is to conduct periodic access reviews — or, better yet, implement an access review tool that can continuously review access rights, monitor employee access and flag inappropriate/incorrect access attempts. These solutions help streamline effective access reviews and make it even easier to spot invalid access attempts that could cause internal disruption. Access reviews also help implement least privilege policies by ensuring that employees only have access to systems needed for their specific role, especially if employees change roles or leave an organization. In summary, while preparing for attacks and working to mitigate risks, don’t discount insider threats that could come from your employees. While every organization’s security systems, controls and protocols may differ, locking down internal access with zero trust is increasingly deployed and can help prevent breaches or reduce their extent. This article was originally published on InfoSecurity Magazine.