Big Tech’s new anti-hacking strategy: Trust no one

The philosophy, known as zero-trust architecture, assumes that no matter how robust a company’s external defenses are, hackers can get in (Photo: iStock)
The philosophy, known as zero-trust architecture, assumes that no matter how robust a company’s external defenses are, hackers can get in (Photo: iStock)


Hackers keep tricking employees to gain access to corporate networks, so companies are changing their approach to make it harder to wreak havoc once they’re in

The companies that should know best how to fight hackers, tech firms, have reached an arresting conclusion: The weakest link in security, as it’s been since the Trojan War, is humans.

Increasingly, they are taking a new approach: Trust no one.

The philosophy, known as zero-trust architecture, assumes that no matter how robust a company’s external defenses are, hackers can get in. So companies need to make sure that even users inside a network can’t do serious damage.

This past week, Uber and the Rockstar Games unit of videogame company ​​Take-Two Interactive Software each disclosed major hacks that disrupted their operations. They joined a list of victims this year that includes some of the most technologically adept companies on the planet, such as identity-verification companyOkta and chip giant Nvidia.

What many of these hacks have in common is that they succeeded by tricking a person in or close to the target company into giving up network-access credentials or other critical information, a technique known as social engineering. In the Uber case, for example, a contractor whose phone was being spammed by automatically generated access requests triggered by a hacker finally approved one, the company said. Other examples involve bogus “phishing" emails that hoodwink employees into sending login credentials to attackers.

The hacks at the two companies, which declined to discuss their approach to security, are increasing the push for zero-trust within their peer group. Zero-trust is a broad concept, but at base it means that no part of a company’s IT systems should assume that any other part—human or software—is who or what it claims to be. All systems are assumed to be compromised by hackers already.

As big and well-resourced companies have gotten better at protecting against purely technical exploits of their systems, these social-engineering attacks have become more popular, say cybersecurity experts and the Federal Bureau of Investigation. It is, after all, easier to upgrade a computer than the human mind.

Moats aren’t enough

In the traditional approach to cybersecurity, “We just built a giant moat around the castle, and once you breached that moat, you were in," says Boe Hartman, a former chief technology officer at Goldman Sachs, where he led the team that built the consumer-banking infrastructure that made possible Apple’s credit card and its vaunted privacy features.

This kind of perimeter security made sense at a time when corporate networks consisted mainly of PCs that were physically connected in an office building—or, if they were off-site, to a virtual private network, or VPN.

These days, a staggering variety of devices, employees and outside contractors connect to corporate systems, in an ever-larger panoply of ways, from personal mobile devices and home computers to cloud services and internet-of-things devices. Today, relying solely on protection of every device and account that might connect to a company’s systems isn’t just difficult, but frequently disastrous, since attackers have to breach only a single gate to get access to the whole kingdom.

At Uber, the attacker used the commandeered contractor account to access internal systems, posting a message on a companywide Slack channel and taking over an account used to communicate with security researchers. Uber had to temporarily suspend access to internal communications systems. A representative declined to comment beyond a Monday statement that said the company had found no indication the hacker accessed user accounts or the databases Uber uses to store sensitive user information.

The zero-trust approach seeks to limit such havoc. “Zero trust is based on the idea that you don’t trust anything in your system anymore," says Anshu Sharma, chief executive of Skyflow, a startup that uses zero-trust principles to safeguard personal data for other companies. “Just because you’re in the building, you don’t get access to important stuff."

Many of the design principles that guide engineers building zero-trust systems are easy to understand. If you’ve found yourself having to log back into corporate systems or your bank’s website more often of late, that’s a version of the zero-trust tactic of regularly “rotating" the credentials that allow people and computers to access other systems. The idea is that even if attackers got in with your account, they’d have limited time to do damage.

Another zero-trust principle, known as behavioral analysis, is that software should monitor the behavior of those on a network and flag anyone doing something unusual, like trying to make an extra-large bank withdrawal. (This is the same kind of analysis that leads your bank to send you a text if you make an out-of-character credit-card purchase, for example, when you’re traveling to a new city.)

The consistent theme is that every component of a system should be skeptical, even if you’ve identified yourself and gained access, that you are who you say you are and are doing what you should be doing.

Zero-trust systems can create friction for users and employees, because security is always a balance between giving people the access they need and demanding that they prove their identity. This is also by design, a concept known as the “principle of least privilege," or giving people access only to the things they need, when they need them, and no more. But it runs counter to the priorities of many businesses, which are focused more on maximizing the efficiency of their operations than securing them.

A decade of zero-trust

While many businesses are only now adopting true zero-trust systems, the security industry has been talking about the trust problem for well over a decade.

One company that realized early on that walls and moats were no longer adequate protection was Google. It learned the hard way; starting in 2009, coordinated attacks by hackers associated with the Chinese government attempted to penetrate the Google-hosted email accounts of Chinese human-rights activists, The Wall Street Journal reported.

Soon after, Google began implementing its version of zero-trust systems, which it called BeyondCorp. A spokeswoman says its approach applies to all parts of an IT system—users, devices, applications, and services, regardless of ownership or physical or network location. All those elements are treated with the same inherent suspicion. The shift actually makes it easier for employees to work from anywhere, without a VPN, she adds.

Naturally, Google also turned it into a product that can be used by companies which pay for its cloud services.

There are numerous other consultants and vendors happy to teach zero-trust principles, or sell systems built with them. Okta specializes in zero-trust human identity-verification systems. (The fact that Okta itself has recently become a hacking victim demonstrates how hackers can get past the “borders" of company security—even at companies that specialize in security.) Zscaler does the same for access for software and devices. Palo Alto Networks helps build zero-trust networks. The list goes on. Yet businesses—including big, sophisticated tech companies—continue to suffer losses of proprietary data, source code and customer information.

Rome wasn’t rebuilt in a day

Creating a top-to-bottom zero-trust architecture for a company’s existing IT infrastructure requires commitment from its most senior leaders, and can ultimately necessitate what is essentially a gut renovation of its systems, says Mr. Hartman, now co-founder of Nomi Health, a healthcare startup.

Months before it was attacked, Nvidia, the highest-valued U.S. semiconductor company, announced a tool called Morpheus digital fingerprinting, to run on Nvidia hardware. It uses artificial intelligence to analyze hundreds of billions of user actions a week and flag instances when a user appears to be doing something unusual and potentially high-risk. For example: A user who normally works in Microsoft Office is suddenly trying to get access to the tools and repositories where company source code lives.

So Nvidia knew a thing or two about zero trust. Yet in March, its systems were compromised—likely, as my colleagues reported this week, by Lapsus$, the same group of young hacker-pranksters that struck Uber and others. Afterward, CEO Jensen Huang said the incident was a wake-up call and vowed to accelerate Nvidia’s embrace of zero-trust architecture.

Rolling out this system isn’t without its downsides, including how it can limit the productivity of engineers who all want as much access as possible. Striking a balance between security and accessibility means constant conversations between security teams and the employees they serve, says Justin Boitano, vice president of enterprise computing at Nvidia. It helps, he adds, that Mr. Huang was forthright after the March attack, and “employees seem to understand that we live in a new world now, and potentially there are bad people living on your network."

Okta, which also was likely hit in March by Lapsus$, said in a blog post tallying the aftermath of that breach that the company had come out much better than initially feared by its own engineers. According to a forensic report prepared by an outside cybersecurity firm, the attacker was in its systems for only 25 minutes, viewed and took screenshots of two customer accounts, and was unable to log in directly to any customers’ Okta accounts or make any changes to internal systems.

Okta now requires subcontractors, like the one that was breached, to use zero-trust security architectures, and all of them must demonstrate that they have the same level of security in their systems that Okta has in its own, says a company spokesman. Okta touts its own systems as zero-trust, and the company credits its zero-trust architecture with preventing hackers from getting any further into its systems than they did.

Microsoft says a Lapsus$ attack on its systems in March breached only one account and was quickly detected and dealt with, and didn’t lead to any leaks of customer data. Vasu Jakkal, the company’s corporate vice president of security, says the lack of damage was a result of Microsoft’s own internal zero-trust architecture.

Without such architecture, an attacker can, on average, move from gaining access to a system to entering sensitive parts of it in just over an hour, Ms. Jakkal adds. The number of attempted identity-based cyberattacks continues to grow, due to better-resourced hackers and automated tools.

“Attacks can come from anywhere, from anyone, and be done to anyone," says Ms. Jakkal. “There’s no company, no matter how big or small, who are not vulnerable to attacks."

Adopting a zero-trust approach means changing many layers of security. Those include adding multifactor authentication on company accounts, and giving users and systems the least access they actually need. It’s also a good idea to put the most sensitive data in one place and protect it vigorously, rather than sprinkling it throughout a company’s databases. (Consolidating sensitive data in one protected place is precisely what Skyflow, Mr. Sharma’s startup, does.)

The breadth of changes means that companies rebuilding old systems need to set priorities, says Mr. Hartman, starting with protecting their crown jewels—source code, other intellectual property, customer information, and the like. Later, they can work through other parts of their systems. The scale of the challenge explains, in part, why only 22% of companies have implemented multifactor authentication—such as biometrics, push notifications or device-based authentication, in addition to a password—even though it is one of the best front-line cyber defenses for access, says Ms. Jakkal.

Even proponents acknowledge that zero-trust is no silver bullet, in no small part because it takes so much time and effort to make it a reality. But in a world where regulators, shareholders and customers are all ready to hold companies and their leaders accountable for hacks and data breaches, and attackers are more resourceful and aggressive than ever, companies might not have much choice. They have to commit to making themselves less vulnerable.

“The new world is, you’ve got to assume there are always going to be bad people on your network," says Mr. Boitano of Nvidia. “And the question is how do you protect your resources and the intellectual property of the company."


Catch all the Technology News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.


Switch to the Mint app for fast and personalized news - Get App