The risk of users simply browsing the internet to perform their jobs continues to rise. As organizations increases their reliance on technology, especially in the hybrid work world, the number of potential attack vectors increase. For all these reasons, the web has become a popular path that malicious actors utilize to exploit vulnerabilities against organizations.
Web security threats have evolved in complexity and sophistication. The most common types include malware, ransomware, data theft, and phishing attacks. For years, cyber defenders have added additional controls to minimize the risk of web usage. Many organizations rely on dedicated web security software or next-generation firewalls to deliver capabilities for web security. With more than 80% of web traffic being encrypted, many of the existing tools have become inhibited to fulfill their original purpose. Some of the key capabilities used to reduce risk include:
- Web Reputation & URL Filtering
- Malware Detection & Prevention
- User Authentication
- Security Awareness Training
In many organizations, the security controls have been unable to address the increased risk to their business.
Zero Trust Strategy for Modern Web Security
According to NIST, “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” While there are many different views from the cybersecurity industry, they all closely align on the following high level principles of a Zero Trust strategy:
- Remove Implicit Trust
- Enforce Risk-Based Least Privilege
- Assume Compromise
A Zero Trust strategy should span an organization’s different technology groups and domains. The figure below illustrates the multiple zero trust domains.
Applying Zero Trust principles to minimize risk in web security can become the equalizer against increasing web threats. Many modern network & security architectures, such as Secure Access Services Edge (SASE) and Security Services Edge (SSE), bring opportunities to provide ubiquitous web security for a hybrid distributed workforce. This ensures consistent security policy enforcement regardless of a user’s physical location.
Organizations can accomplish this without using a virtual private network (VPN) to corporate data centers. The application of the Zero Trust principles to web security brings many capabilities and controls that address web security risks.
Remove Implicit Trust
Traditional perimeter-based security utilized the castle and moat methodology to protect organizations from cyber threats. This created excessive trust for users and devices inside the “castle”. As a result, malicious actors can also move laterally and exploit the excessive trust. With Zero Trust, organizations must remove implicit trust:
- Never assume trust, always verify every access attempt
- Deny anonymous or unverified access
- Continuously verify & validate trust
Enforce Risk-Based Least Privilege Access Control
Risk-Based web security policy includes an evaluation of risk & trust, of the user, their device and the resource or website being accessed. To evaluate the risk and establish trust, organizations should centralize disparate contextual data and apply a trust algorithm to determine a trust score. The following represents some of the criteria a trust scoring algorithm might consider:
- Has the user validated their identity?
- Is the user’s location consistent with normal circumstances?
- Is the device managed or unmanaged?
- Are the appropriate security agents or controls running and up to date?
- Is the device encrypted?
- Does the device have vulnerabilities?
- Is the OS and Applications patched and up to date?
- Has there been any indications of compromise?
- Is the web transaction encrypted?
- Has the traffic been modified or tampered with?
- What permission should be allowed?
- What is the reputation of the IP Address, Domain Name, and URL?
- Is this application required for the business or mission?
- What is the file type being downloaded?
- Is the content malicious?
When organizations utilize risk and trust scoring in their web security policies, they immediately start to minimize the risk of web threats. For example, many attacks involve unpatched vulnerabilities. To minimize the risk, an organization can implement a policy enforcing users to have up-to-date systems before accessing the web. This policy will reduce the odds of the system being compromised.
Least privilege ensures a user or device only has the minimum necessary rights, privilege or access to a resource, application, or data. Organizations should start by establishing a baseline of what access is required and orchestrating a policy from the baseline. Do all employees need the rights to post to twitter or only the marketing department? On the surface allowing all employees to post to twitter might seem harmless, but twitter has been used to exfiltrate data in multiple real-world security incidents.
Through tabletop exercises, whiteboarding or workshops, the primary goal of the assume compromise principal is to answer the question, “If this user, device, or website is compromised, what would I do differently?” By asking the question, an organization can prepare for the worst-case scenarios and identity risks that were previously undiscovered. Organizations will find the following best practices:
- Decrypt & Inspect
- Monitor & Log – Without proper anomaly detection, organizations run the risk of being blind to sensitive or mission-critical data being exfiltrated or exposed to the public or an
- Limit the Blast Radius – Ransomware and Malware notoriously spreads faster than organization can To minimize the risk, all networks should explicitly prevent lateral movement.
- Wire Once Read Many (WORM) Backups – Many organizations do not realize the backups they have could be compromised and haven’t invested in ransomware resistant backups.
Zero Trust plays a vital role in addressing risk in web security. By applying the Zero Trust principles, organizations can adequately address the increased cyber threats targeting users via the web. IT GRC teams should look to Zero Trust strategy and architecture for their modernization efforts.
NIST Special Publication 800-207 Zero Trust Architecture, Page ii, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf