Digital transformation, hybrid work, and the shift to the cloud have increased attack surfaces and created new vulnerabilities. Businesses must evolve cybersecurity strategies to protect themselves in today's threat landscape, as ransomware attacks, data breaches, and software supply chain attacks have become almost daily occurrences.
It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.
Accelerating the Adoption of Zero-Trust Network Access
In today's age of distributed workforces and multiple devices, we are seeing considerable demand for cloud-based zero-trust and zero-knowledge architecture to store passwords, files, and other confidential information. Zero-trust network access is the only viable solution in a world where the "network perimeter" no longer exists. In addition to securing network connectivity for their distributed workforces, organizations need to ensure that their third-party vendors and business partners can connect to needed network resources securely.
Securing Users Through a Zero-Trust Approach
A zero-trust approach includes strong user and device authentication, role-based access control (RBAC) with least-privilege access, and comprehensive password security, including strong, unique passwords for every user account and multifactor authentication (MFA).
Businesses should require two-factor authentication (2FA) wherever it's supported, preferably using a time-based one-time password (TOTP) code or a hardware-based FIDO2 key. This way, even if a cybercriminal steals an employee's password, it's useless without the second authentication factor. Enforcing these policies, and making them easier for employees to follow, can be accomplished by deploying an enterprise-grade password security platform.
Just one stolen password can bring down tens of thousands, even millions of dollars' worth of cybersecurity defenses. Password-related cyberattacks are going to keep happening to companies of all sizes, because cybercriminals know that too many organizations play fast and loose with their password security. It is critical to implement a zero-trust network access architecture to include RBAC with least-privilege access and secure access management.
As organizations implement privileged access management (PAM), cybercriminals are looking for the more vulnerable attack vectors in an organization, which are often contractors, new employees, or users who are not very technologically savvy — to then seek privileged escalation. It is therefore imperative that identity security evolves from protecting privileged access to protecting every user and every access device.
Keeping Infrastructure a Secret
Securing human users with zero-trust network access is critically important, but so is securing infrastructure secrets. Over the past years, organizations have been trading on-premises computing for multicloud and hybrid-cloud environments and monolithic applications for modern microservices-based distributed applications. This has resulted in more systems interconnecting and exchanging critical information, often protected by infrastructure secrets such as certificates, database passwords, API keys, and Remote Desktop Protocol (RDP) credentials.
This information unlocks access to highly privileged systems and data, enabling devices and apps to leverage cloud resources and execute sensitive business processes — yet they are often nor managed securely or effectively. For this reason, secrets are prized by cybercriminals for use in highly sophisticated cyberattacks. As an example, among the massive amounts of data stolen during the NVIDIA security breach were code-signing certificates — which threat actors are now using to spread malware in the wild.
Implementing a Comprehensive IT Secrets Management Strategy
As data environments become more complex, and the number of connected devices and apps grows exponentially, organizations need to shore up their IT secrets management. This capability must be integrated with existing DevOps environments and build systems and also with identity and authentication systems.
Organizations can't afford to take an ad hoc approach to securing data using point solutions. It is important to adopt comprehensive, zero-trust tools and protocols for managing digital authentication credentials to adequately organize and secure their private infrastructure data across user credentials and infrastructure secrets. With modern identity security and access management technology, organizations can dramatically improve their security posture while gaining visibility and control over their critical credentials, secrets, and passwords.
About the Author
Darren Guccione is the CEO and Co-founder of Keeper Security, a top-rated password manager and secure digital vault. Darren is an entrepreneur, tech leader, and serial inventor who is passionate about creating disruptive technologies and finding the intersection between art, science, finance and technology. Darren is an engineer and certified public accountant. In addition to founding Keeper Security, Darren co-founded Callpod, Inc., in 2006 and OnlyWire, LLC, in 2008. He also served as the CFO and co-founder of Apollo Solutions, Inc., which was acquired by CNET Networks (now CBS Interactive).