Have we all accepted we’re at the ‘Zero Trust’ stage for cloud security now?

It’s one of the five key trends picked out for 2020 by the Cybersecurity and Information Resilience arm of British Standards (BSI)

Posted 21 January 2020 by Gary Flood

In 2020, when it comes to Cybersecurity, expect more Multi-Factor Authentication (MFA) attacks and the rise of the ‘Zero Trust’ model.

The predictions come out of a new report from the British Standards Institute, which sets national standards for the UK and which is also the world’s largest certification body: it has a dedicated Cybersecurity and Information Resilience global centre of excellence, which issued the study.

MFA Will Become More Prominent

The study starts off by noting a recent report by LastPass that showed that 57% of global businesses used MFA in 2019, well up from 2018’s 45% – which will of course mean attacks against MFA “will inevitably rise also”, it cautions.

One such example is what we call a ‘9am attack’, whereby the attacker attempts to login when an end user arrives at the office, and when logging on, gets a prompt on their authenticator app to approve, which if the attacker has it timed correctly the user approves and inadvertently grants access to the attacker.

Along with other targeted attacks such as Evilqinx or SIM swapping, warns Stephen O’Boyle, Global Head of Cybersecurity and Information Resilience Services at BSI, expect more 9am attacks, then: “Provided that phishing attacks remain a ‘high return and low risk’ proposition, they will continue to be attractive to attackers,” he warned.

“Organisations must have the capability to detect and react to advanced attacks in order to keep their clients, employees and information secure.”

Third Party / Supplier Risk Management

Managing supplier risk effectively has been strengthened by a number of new directives and regulations which have wide reaching effect, including the Network and Information Security (NIS) directive and GDPR, says the group.

But while companies are following information security standards for supplier relationships to improve their ability to manage risks and are substantially increasing their security control, the risks relating to supplier relationships will continue to expand in 2020, BSI warns.

“Supplier risk management allows organisations to identify, assess, manage and treat supplier risk,” O’Boyle stated.

“This year, businesses will need to further enhance their solutions when it comes to reducing risks associated with third party management. This includes processing of information, outsourced system development, integrations, configurations and hardware product provenance.

“Doing so will allow them to be in a better position from a security perspective to achieve their objectives and meet their compliance requirements.”

Privacy Assurance

Globalisation and the “relentless advance in technology” means that privacy safeguards are necessary to ensure the protection of the fundamental rights of citizens, the study next notes.

“GDPR fines are set to rise in 2020, especially given the impending decisions under review by the Information Commissioner’s Office (ICO) relating to large tech firms,” said O’Boyle.

“Many organisations have realised their compliance requirements due to the GDPR. However, new and evolving global legislation such as Japan’s Act on Protection of Personal Information (APPI), Brazil’s Lei Geral de Proteção de Dados (LGPD), Thailand’s Personal Data Protection Act (PDPA) and California’s Consumer Privacy Act (CCPA) mean that an organisation’s privacy compliances continue to evolve,” he noted.

“These global requirements must be considered based on a company’s global reach and their data jurisdictions.”

Also, expect more Purple Teaming exercises, where Defenders (Blue Team) are pitted against Attackers (Red Team) to determine the effectiveness of their defence capabilities.

“This technique provides a truly effective view of attack susceptibility and defence capability in a close to real world attack scenario,” O’Boyle said.

“The benefits to organisations are extremely valuable, as defenders gain attack experience in a safe scenario environment, deficiencies are highlighted and opportunities to improve identification and response capabilities are advanced through process improvements and monitoring system tuning. We will see more companies adopt this approach as part of their annual assessment activities this year.”

Cloud Security – Zero Trust Networks

Finally, as cloud adoption grows and organisations begin to truly accept the ‘death of the perimeter’, the Zero Trust model will get more attention, too. So that’s going to mean, thinks BSI, security measures for protecting organisations beyond the traditional firewall will proceed to improve and conditional based access considering device enumeration, certificates, location, biometrics and user secrets will become the norm for protecting organisations leveraging cloud first models.

“Cloud services, including Microsoft Office 365, are key targets for attackers and password spray and credential stuffing attacks are examples of methods used to gain access,” stated O’Boyle.

“Companies who progress their cloud journey without adequate Identity and Access Management tools and processes will soon find themselves subject to compromise. Those with limited monitoring in place can expect attacker persistence to remain for extended durations.”

For O’Boyle, “We are seeing the next phase in cyber threats, cyber-related regulations, technological evolutions and specific solutions within these trends, looking beyond the stalwart and ever-present security risk of inadequate patching.

“Defence preparation must remain high on the agenda for 2020 across all industry sectors including finance, the public sector, food and healthcare. In England specifically, this will be further enforced through efforts stipulated in the National Cyber Security Strategy.

“Organisations need to prioritise and address their cyber and regulatory efforts this year and opt for a deeper level of assurance across the board at all levels.

“Doing so will ensure that everyone has a greater understanding of the cybersecurity landscape, and that their information resilience is enhanced across the organisation.”