The Rise of Chief Zero Trust Officer
Over the last several years, ransomware, data breaches, and other cyber campaigns have been hugely disruptive and cost organisations and governments millions. In response, the Biden administration issued an executive order in May of 2021 to implement a Zero Trust security architecture across the federal government. While recent reports from the US Government Accountability Office (GAO) show some agencies are on track, others appear to be falling behind. When governments need to move quickly and cut across organisational boundaries, they often appoint a czar to take charge of a particular program and see it through to implementation or execution.
As private sector organisations embrace digital transformation and move their operations to the cloud, they too are looking to zero trust to help provide a robust and secure network infrastructure. Secure Access Service Edge (SASE) has emerged as a cloud-delivered convergence of network access and security services and is a common approach for enterprise zero trust adoption. The challenge however is that in many organisations, responsibility for networking and security live in different parts of the organisation and these groups often rely on different vendors in their respective areas. Breaking down the silos between security and networking teams and choosing the right tools, products, and vendors to align with desired business outcomes is critical to implement zero trust in larger enterprises.
As pressure to implement zero trust intensifies, I predict that a role analogous to a “Chief Zero Trust Officer” will emerge within some large organisations. This person will be the zero trust czar for the enterprise and will be the individual responsible for driving a company on its zero trust journey. Their job will be to bring together siloed organisations and vendors and ensure that all teams and departments are aligned and working toward the same goal. If resistance is encountered, the zero trust czar should have the backing of senior leadership (CIO, CISO, CEO, Board of Directors) to make decisions quickly and cut across organisational boundaries to keep the process moving ahead. Whether the very bold title of Chief Zero Trust Officer becomes reality or not, an empowered individual with a clear mandate and a singular focus may just be the key to getting zero trust across the finish line in 2023.
2023 Sees the Death of “The Password”
Phishing attacks continue to be a significant problem for companies around the world. Even with regular security awareness training, users will eventually click a wrong link and fall victim to an attack. And unfortunately, most cyber-attacks begin with a phishing email.
Cloudflare itself was attacked this year by a sophisticated, targeted SMS-based phishing attack. A total of 76 Cloudflare employees received the phishing link in text messages on their phones. Three employees fell for the attack and clicked the link and entered their credentials. But unphishable, multi-factor authentication in the form of FIDO2-compliant security keys in conjunction with zero trust access prevented the attacker from breaching our systems. Other companies that used less secure time-based one-time passwords (TOTP) weren’t as lucky, and many were breached by the same attackers.
Username and password authentication even when combined with common forms of multi-factor authentication is just not enough anymore. Enterprises can enable stronger FIDO2-compliant security keys along with zero trust access today if they’re using a system like Cloudflare’s to make it much tougher on attackers.
But the best way to protect most users and their credentials may be to remove the burden on the end user altogether. The FIDO alliance envisions password-less sign-in everywhere. Logins will use your face or fingerprint instead of the old username-password combo. A FIDO sign-in credential, sometimes called a “passkey”, will make it easier on users and harder on the attackers. If there’s no password to steal, hackers won’t be able to harvest credentials to carry out their attacks. We predict many websites and applications will adopt password-less login using the FIDO Alliance passkey standard beginning in 2023.
The Cloud Takes on Compliance
Governments around the world are rolling out new privacy regulations. In Europe, the General Data Protection Regulation (GDPR) which became enforceable in 2018 gives individuals more control over their personal data and how it’s used. Other countries worldwide are following suit and using GDPR as a model. In the US, there are five states with new consumer privacy laws that take effect in 2023 and more states are considering legislation. And at the federal level, lawmakers are slowly putting forward their own privacy regulations with the American Data and Privacy Protection Act (“ADPPA”) which is an online privacy bill that aims to regulate the gathering and storing of consumer data.
Companies must now understand and comply with this patchwork of regulations as they do business globally. How can organisations hope to stay current and build compliance into their applications and IT systems?
We believe the majority of cloud services will soon come with compliance features built in. The cloud itself should take the compliance burden off companies. Developers shouldn’t be required to know exactly how and where their data can be legally stored or processed. The burden of compliance should largely be handled by the cloud services and tools developers are building with. Networking services should route traffic efficiently and securely while complying with all data sovereignty laws. Storage services should inherently comply with data residency regulations. And processing should adhere to relevant data localisation standards.
Remote Browsers Resolve Device Complaints
Security policies, privacy laws, and regulations require all companies to protect their sensitive data; from where it’s stored and processed, to where it’s consumed in end-user applications. In the past, it was relatively straightforward to fully control end-user devices because they were often issued by and dedicated to company use only. But with the increasing use of personal smartphones and tablets, the bring-your-own-device (BYOD) trend has been picking up steam for several years and was even more readily embraced during the various stages of the global pandemic.
Looking ahead, it’s our belief that this pendulum of BYOD will swing back toward tighter security and more control by the IT organisation. The need to consistently enforce security policies and privacy controls will begin to outweigh the sense of urgency and demand for convenience we encountered during the last few years. But because so much of our digital lives live in a web browser, this control may take a different form than in the past. This new form will mean more control for IT administrators AND a better user experience for employees.
Browser Isolation is a clever piece of technology that essentially provides security through physical isolation. This technique creates a “gap” between a user’s web browser and the endpoint device thereby protecting the device (and the enterprise network) from exploits and attacks. Remote browser isolation (RBI) takes this a step further by moving the browser to a remote service in the cloud. Cloud-based remote browsing isolates the end-user device from the enterprise’s network while fully enabling IT control and compliance solutions.
Some say in this remote browsing model that “the browser is the device.” Instead of BYOD, it might be appropriate to call this “BYOB” or Bring Your Own Browser. Most companies are looking to better balance the security and privacy needs of the company with the user experience and convenience for employees. At Cloudflare, we use our remote browser isolation in conjunction with zero trust access to protect our users and devices. It’s completely transparent to users and strikes a perfect balance between security and user experience. We believe remote browser isolation will be embraced broadly as IT leaders become more aware of the benefit and just how well it works.
Discussion about this post