Zero-Trust Security

What is Zero-Trust Security?

Zero-Trust Security is a framework that shifts the traditional security model from assuming that everything inside an organization's network is trusted, to assuming that threats can be both external and internal. The core principle of Zero-Trust is "never trust, always verify." This means that no one, whether inside or outside the network, is trusted by default. Verification is required from everyone attempting to access resources, regardless of whether they are within the network perimeter.

Key Principles of Zero-Trust

Verify Explicitly: Always authenticate and authorize based on all available data points, including user identity, location, device health, and anomalies. This goes for both users and automated coded services.
Least Privilege Access: Limit user access with just-in-time and just-enough-access policies, ensuring users only have the minimal level of access required to perform their jobs.
Assume Breach: Design systems with the assumption that they are already compromised, and segment access to prevent lateral movement within the network.

Components of Zero-Trust

Identity Verification: Implement strong authentication methods such as multi-factor authentication (MFA), ensuring that the right person is accessing the system.
Device Security: Ensure devices are compliant with security standards before granting access to network resources.
Network Segmentation: Break down the network into smaller, isolated segments to limit the impact of a potential breach.
Data Security: Protect data with encryption, both in transit and at rest, and use data classification to control access.
Application Security: Ensure applications are secure and continuously monitored for vulnerabilities.
Visibility and Analytics: Maintain comprehensive visibility into all user activity, and use analytics to detect suspicious behavior.

Examples of Successes and Failures in Zero-Trust Implementation

Successes

Company	Summary
Google BeyondCorp:	Google implemented its own Zero-Trust framework called BeyondCorp. This model allows employees to work securely from any location without needing a traditional VPN. By focusing on device and user identity verification rather than network location, Google has achieved a secure, flexible working environment. This approach has drastically reduced the risk of internal threats and improved productivity. Although originally only intended for internal use, Google has since made the BeyondCorp framework available to the public.
Estonian Government	Estonia is renowned for its advanced e-government system, which relies heavily on Zero-Trust principles. The country uses a highly secure digital identity system, which includes mandatory multi-factor authentication for accessing government services. Estonia’s government systems are designed with the assumption that breaches can occur, so they employ strong encryption, continuous monitoring, and robust access controls. This Zero-Trust approach has enabled Estonia to provide secure digital services to its citizens while maintaining a high level of trust and security.
Erasmus Hospital in Rotterdam	Erasmus MC employs robust IAM practices, including multi-factor authentication (MFA), to ensure that only authorized personnel can access sensitive systems and patient records. This process involves verifying the identity of users through multiple layers of authentication, such as passwords, biometrics, and security tokens. Erasmus also employs network- and micro segmentation to isolate critical systems and data, preventing lateral movement in case of a breach. Failing that, the hospital has a CERT (Computer Emergency Response Team) in place to respond to incidents and mitigate the impact of any potential breaches. Erasmus MC CERT Contact page

Failures

Company	Summary
Capital One Data Breach:	In 2019, Capital One experienced a data breach that exposed the personal information of over 100 million customers. The breach was facilitated by a misconfigured web application firewall. While Capital One had some elements of Zero-Trust in place, the failure to properly configure and continuously audit their security settings allowed the attacker to exploit the vulnerability. This incident highlights the importance of thorough and ongoing security checks within a Zero-Trust framework.
Target Data Breach:	In 2013, Target suffered a massive data breach where attackers gained access to payment card data of over 40 million customers. The attackers initially compromised a poorly protected third-party vendor and then moved laterally within Target's network. A lack of proper network segmentation, insufficient monitoring and human error allowed the attackers to escalate their privileges and access sensitive information. This breach underscores the necessity of network segmentation and robust monitoring in a Zero-Trust approach.
Tunstall Ransomware attack	Tunstall is a direct competitor of MobileTrack, and is a prominent provider of telecare and telehealth solutions. The Tunstall hack of last year was a significant cybersecurity incident. This breach had wide-reaching implications, and shut down their services for several days. These services are crucial for supporting vulnerable individuals, including the elderly and those with health conditions, by providing remote monitoring and emergency response. The breach potentially exposed a significant amount of sensitive information, including: Personal data of patients and users. Contact details and emergency response data. Not much is known about the incident given Tunstall hasn't been very forthcoming in reporting on the specifics of the incident. However, it is clear that network segmentation, Zero Trust, proper backups and fault tolerance haven't been high priorities within the company given the length of the outage and how widespread the damage was. News article (Dutch)

Company

Summary

Capital One Data Breach:

In 2019, Capital One experienced a data breach that exposed the personal information of over 100 million customers. The breach was facilitated by a misconfigured web application firewall. While Capital One had some elements of Zero-Trust in place, the failure to properly configure and continuously audit their security settings allowed the attacker to exploit the vulnerability. This incident highlights the importance of thorough and ongoing security checks within a Zero-Trust framework.

Target Data Breach:

In 2013, Target suffered a massive data breach where attackers gained access to payment card data of over 40 million customers. The attackers initially compromised a poorly protected third-party vendor and then moved laterally within Target's network. A lack of proper network segmentation, insufficient monitoring and human error allowed the attackers to escalate their privileges and access sensitive information. This breach underscores the necessity of network segmentation and robust monitoring in a Zero-Trust approach.

Tunstall Ransomware attack

Tunstall is a direct competitor of MobileTrack, and is a prominent provider of telecare and telehealth solutions. The Tunstall hack of last year was a significant cybersecurity incident. This breach had wide-reaching implications, and shut down their services for several days. These services are crucial for supporting vulnerable individuals, including the elderly and those with health conditions, by providing remote monitoring and emergency response. The breach potentially exposed a significant amount of sensitive information, including:

Personal data of patients and users.
Contact details and emergency response data.

Not much is known about the incident given Tunstall hasn't been very forthcoming in reporting on the specifics of the incident. However, it is clear that network segmentation, Zero Trust, proper backups and fault tolerance haven't been high priorities within the company given the length of the outage and how widespread the damage was.

News article (Dutch)