Federal agencies with highly sensitive and classified information were tied to their physical locations until the pandemic upended businesses — and trust. In search for a reliable way to verify remote users or unknown devices, COVID-19 has given zero trust a boost, though not before stopgap security solutions were adopted.
Remote work changes the nature of the on-premise perimeter, eliminating "an environment that you can control," said Bryan Ware, assistant director for Cybersecurity at CISA in the Department of Homeland Security, on a panel during the Billington Cybersecurity Summit Tuesday.
"Inside of [a controlled] environment, you assume that you can trust," even though that line of thinking "hasn't been real for a long time," he said. Nevertheless, it was the conceptual model security was built on.
The pandemic challenged the way businesses think and address security issues, but security organizations took care of issues as they came, according to Jeff Reed, SVP of Security Business Group at Cisco, while speaking on the panel. "We're kind of in this interesting stage now of revisiting as we go forward."
The security challenges were earmarked by the tools customers were requesting: VPN, multifactor authentication, and now zero trust solutions, Reed said. Top challenges included:
How a user is identified in a secure manner
How can existing security controls change to adapt to a distributed workforce
How to get more endpoint visibility
What controls are necessary moving forward versus the ones currently less critical
"The perimeter was already distributed. Maybe we weren't really thinking about it, but it was actually already there. And so this was a nice wake up call," said Reed.
For businesses dipping their toes in zero trust, questions move beyond the user. The methodology also addresses devices and their security postures.
When done correctly, zero trust enables the end users, not the security professionals, to engage in cyber hygiene, said Reed.
A matter of scale, not security
While there are differences in security priorities pre-pandemic, a lot of hurdles were related to scale.
"I don't think [the pandemic] was actually really core to the change and the threat landscape, frankly," said Reed.
Experts are adapting zero trust to security changes brought on by the landscape. But it raises questions on application when security challenges are similar to pre-pandemic times.
"Did the risk landscape really change? Or did we just increase the prioritization of certain risks?" said Jon Check, senior director of Cyber Protection Solutions at Raytheon Intelligence & Space, while moderating the panel.
In the early months of lockdown, VPN use skyrocketed with little strategy for the long term and vulnerabilities remained. Before lockdowns, VPNs handled 10% to 15% of enterprise traffic, now they're up to 95%, according to Ware. "And we still see unpatched VPNs."
In "one sense it's not new, in another sense, maybe there's no more attacks than there used to be, but the locus of attack is the VPN now. So our adversaries know where we are and how we're working," said Ware.
Cybercriminals shifted focus on where they wanted to exploit, with Microsoft Office 365, and Pulse Secure and Citrix VPNs becoming the popular targets in 2020. They've been "patchable for years. They're still valid tools that our adversaries are using. But they've refined their focus, just as we have shifted the way that we work," said Ware.