What is zero trust in cybersecurity?
Financial institutions quarantine executives’ online lives while using cloud and A.I. tools for flexibility.
Defending companies from cyberattacks is about detecting outside websites, links, malware and phishing expeditions – identifying dangers and training all staff to avoid them.
But malware still gets through. At least 10% of dodgy sites, hyperlinks and attachments go undetected. Although banks, cybersecurity vendors and others are using artificial intelligence to improve their detection and defenses, the bad guys have access to the same tools.
“If I’m a bad guy, I’m going to figure out what the algorithm is doing. I’m not doing the things that A.I. is looking for,” said Amir Ben-Efraim, co-founder and CEO of Menlo Security.
This is leading vendors and some financial institutions to try a more basic, but radical, approach, which they term “zero trust”.
And it means what it says: trust nothing from the outside world, so that nothing can get in.
How on earth is a bank or insurance company supposed to do business if it can’t trust anyone, or anything, from outside its walls?
This is a new challenge for cybersecurity professionals, one that more financial institutions say they want, says Daniel Cheung, chief information security officer at Daiwa Capital Markets.
But zero trust is not new – it’s just new to financial world. It’s actually a classic position among sensitive government and military departments.
And if you’re wondering why your firm doesn’t let you surf the internet from work, it’s not because of fears over wasting time sharing cat videos: it’s to protect against evil code finding its way into your servers.
It requires each employee to duplicate all of their devices: so two computers per person, two switches: one for surfing the internet, the other isolated for internal corporate and database work.
Kok Tin Gan, partner at PwC covering cybersecurity and privacy, says isolation is the best tool to ensure safety.
SWIFT is one of the fist financial institutions that mandated network segregation for member banks.
This follows the 2016 cyber-heist against Bangladesh’s central bank, which is the biggest robbery in history in asset terms: hackers broke into the SWIFT network to send messages that looked to Bangladesh Bank like orders to transfer $1 billion out of its reserve account with the New York Federal Reserve. The fraudsters moved $101 million before Fed officials spotted problems and froze the transfers.
Since then SWIFT has required banks using its network to segregate of all connecting software.
“You must separate our messaging interface from the internet, from less critial applications,” said Saqib Sheikh, head of SWIFT’s customer security program in Asia Pacific.
As of last year, 99% of banks have complied, he told DigFin. Sheikh defines segregation as “managed isolation” instead of full isolation: “You only let known traffic come through. The traffic is encrypted and authenticated.”
An alternative to physical separation is virtual isolation, which is more productive, and cost less, according to Menlo’s Ben-Efraim.
Rather than connect directly to a website, the end user is actually surfing on a visual representation. The real session is run in a virtual machine, created just for this user and isolated from all other virtual machines.
(A virtual machine is an emulation of a computer system, using specialized hardware or software.)
“You can think of it as projecting the website to your native browser. It’s like a hologram,” Ben-Efraim said. What the user sees on her screen is taking place externally to the company.
In case the application is infected or attacked, it gets trashed. A new virtual machine will replace it when the user switches websites – say from Google to YouTube.
“Think of it as a disposable browser,” Ben-Efraim said.
Cloud-based or on-premise?
The user can either install virtual-machine software on his own computer, or use a cloud-based solution.
All the major cloud vendors – AWS, Google, Microsoft – now run virtual clouds for customers. On the other hand, IBM, HP and Red Hat are among the big vendors providing virtualization software on-prem.
For traveling executives and people using mobile devices, a cloud-based solution is global and comprehensive, while on-prem solutions physically tie people to specific machines.
However, some criticized that, virtual separation is not as safe as physical separation, no matter it’s via one’s own computer or through the cloud. That’s because the local session is still connected to the virtual machine to receive the virtual message. Hackers can therefore attack through this connection.
Swift’s Sheikh said that on-prem virtual machines are actually not used for enhancing security. It’s just a solution for cost efficiency.
“I can run many virtual systems on the same physical server,” Sheikh said, “Virtualization is not used as cyber-security tool.”
Jeffery Kok, vice president solution engineer at vendor CyberArk(Asia Pacific and Japan), says that adding A.I. to internet separation makes a good solution.
Even though the local session still has some kind of access to internet, the risk can be mitigated by first allowing only a single point of entry, and then second by directing A.I. tools at that single point of vulnerability.
It’s like using data analytics and self-learning techniques to train all your guns on the one door that a baddie can use to storm inside.
SWIFT has developed tools along this thinking. The two features that have greatly enhanced the network’s security after the Bangladesh attack, are segregation (described above) and automatic detect of suspicious payments. It can send warnings and block those payments, Sheikh said.
A virtual session, might be a good way to keep out dangerous code. But it can’t solve the biggest problem in cyber security: people inside an organization giving away passwords, usernames and other sensitive information.
People do this all the time, by accident. Sometimes it’s because they fall for a phishing expedition. Sometimes it’s even more mundane, particularly among staff that haven’t been well trained to be aware of basic security measures.
Vendors are therefore coming up with ways to detect when such information is at risk of escape. They have software that can check website URLs that come with email, to see wehther or not it’s legitimate – and then float a warning on the person’s computer or handheld.
Vendors can also grade outside sites, to separate the obviously dangerous from ones that might be OK if accessed in read-only mode.
Menlo’s Ben-Efraim says such solutions appear to be effective. Fewer than 1% of employees among the vendor’s corporate clients have deliberately ignored such warnings.