Exchange breaches should accelerate Zero-Trust transition

Cybercriminals in the last few years have become a lot more adept at compromising IT environments using phishing attacks and, unfortunately, those attacks are about to become much more sophisticated in the wake of a recent massive breach of Microsoft Exchange servers.

Jimmy Sanders, head of security for Netflix DVD and a member of the board of directors for the Information Systems Security Association (ISSA), during an online panel discussion to help promote a newly published “Big Breaches: Cybersecurity Lessons for Everyone” book noted that most troubling aspect of the Microsoft Exchange server breach is that it’s clear the attackers had been reading emails for months. It’s now only a matter of time before those attackers employ that knowledge to launch phishing campaigns using emails with some very official-looking documents attached that many more end users are about to click on.

It's time for Zero Trust

Because of this and a slew of other recent breaches, organizations of all sizes need to rapidly shift toward finally implementing zero-trust architectures that should hopefully go a long way to mitigating attacks by finally applying cybersecurity policies at the identity level. A survey of 100 security executives conducted by Robin Insights on behalf of CyberArk, a provider of privileged access management (PAM) tools, finds 88% identifying adopting more of a zero-trust approach to IT is either “very important” or “important.” The top priority for achieving that goal was greater adoption of identity and access management (IAM) tools and platforms (45%).

The challenge, of course, has been finding a way to implement a zero-trust architecture that end-users will accept. After all, the concept of locking down an IT environment is hardly new. It’s just that implementations of a zero-trust IT architecture tended to be rejected by end-users who found it too cumbersome to employ on a daily basis. A full 86% of respondents to the CyberArk survey noted that user experience optimization is “important” or “very important.”

While greater awareness of the need for a zero-trust approach to IT is going to be welcome news for cybersecurity professionals, the depth to which IAM needs to be applied is not as fully understood as it needs to be. Most of the focus today is on end-users and yet, it’s not uncommon for cybercriminals to also compromise an entire machine. Many IT organizations assume any machine they deployed can be trusted, but as it turns out cybercriminals are getting very adept at not just compromising machines but also specific application programming interfaces (APIs) and microservices. Every element of an IT environment needs to be assigned a specific identity that enables cybersecurity policies to be enforced at a much more granular level.

Of course, zero-trust isn’t necessarily a single product an IT team can just buy and install. Either they can acquire the necessary tools to implement a zero-trust architecture themselves or they can rely on a service that implements and manages one on their behalf. Regardless of how that zero-trust architecture is implemented, however, the actual end-user experience will still need to be relatively frictionless, especially now that more of those end users will be moving more fluidly between home and the office as working from home is replaced a new work from anywhere ethic.

Working from anywhere, of course, completely obliterates any notion of there being a network perimeter to defend. At a time when cybercriminals will be launching more sophisticated phishing attacks that will be more difficult than ever for an end-user to recognize, there will be more end users than ever remotely logging into systems around the world. Those end-users, alas, can no longer be trusted to be who they say they are simply because they happen to have the right user-name and password combination. Instead, the onus like it or not for verifying the identity of everyone and everything on the network is now clearly on the cybersecurity team.