The Future of Data Security: Why Your Systems Need Zero-Trust Architecture

Back to blog posts
Written By: J. Lasswell
March 28, 2024

As discussed in our last blog, "Ransomware on the Rise: How Cyber Attacks Threaten K-12 Schools," the digital revolution has inextricably woven our lives into online systems. This shift has streamlined our lives and work, but it's also introduced a new frontier of criminality: cybercriminals holding personal information hostage.

Cybercriminals no longer just exploit personal information for individual gain, but weaponize it against major corporations themselves, extorting millions under the threat of releasing this data to the public. Leaked addresses, phone numbers, and banking information are just the tip of the iceberg, creating a murky landscape where trust in both corporations and online systems is threatened. This is not a spectator sport, as we are all actors and assets in this novel scheme. This is a call to action, demanding a reassessment of how we protect ourselves and our data in the ever-evolving digital age.

Source: Statista

The Rise in Healthcare Cyberattacks

In the last two years, these cyberattacks have become more frequent, with ransoms that have reached their highest point, with the healthcare sector being a prime target. These cyberattacks on healthcare institutions are the costliest, reaching a new high of $10.1 million on average, significantly exceeding the global average of $4.32 million across all sectors. This is likely due to the sensitive nature of healthcare data and the lax security measures implemented by some healthcare providers. Over 90% of US hospitals are transferring to Electronic Health Record (EHR) platforms, but these systems are often using antiquated data security architecture, making them the perfect target for breaches and attacks. A 2023 breach on Shields Healthcare Group resulted in the theft of the personal data, including names, drivers' licenses, and ID cards of over 2.3 million people.

This escalation in healthcare cyberattacks echoes the growing concern highlighted in our previous blog regarding K-12 schools, emphasizing the widespread nature of this threat, impacting institutions entrusted with some of our most sensitive data.

Beyond Healthcare: Manufacturing, Energy, and Outdated Systems

Similarly, the manufacturing and energy industries are being targeted, such as the 2021 ransomware attack targeting the largest fuel pipeline in the US, attributed to the Russian cybercriminal group, DarkSide.

Many large companies serving a significant portion of Americans rely on outdated technology and methods for their data security, known as "legacy systems." While these systems are deeply ingrained in our commerce, their deficiencies in a more technologically sophisticated time are being exploited by criminals. In the wake of this emerging threat, innovators are making fundamental changes to the idea of how data security should be imagined and enabled, diverting from the traditional method, to a much more risk-averse solution: zero-trust architecture.

To learn more about this, I turned to Drift Net’s Chief Technology Officer (CTO), Harsh Dave, who has pioneered this novel idea into practice:

What does the traditional method of data security look like?

Traditional network security utilizes an outdated approach, assuming all actors within the network are inherently trustworthy. This translates to unfettered communication between any user or device and any other resource on the network. This unrestricted access, however, poses a significant security risk as it leaves the network vulnerable to exploitation by malicious actors. 

Think of an “all-access” VIP card at a club. This card gets you access to a private room, free drinks and one-on-one time with a celebrity. There is nothing inherently exceptional about the person holding the VIP card; it’s the card that gives them power. All it takes is that card getting into the wrong hands, and a stranger gets the same level of access – probably not the best security strategy. 

A “bad actor” impersonates a legitimate user to gain access to the network.

When a threat enters a network with traditional data security, they have “lateral movement,” meaning they can explore and compromise additional devices and systems beyond their initial entry point. When a threat is in, they can access sensitive data without any “granularity” – imagine each piece of information as a grain of sand. If attackers infiltrate a network without a designated role (admin, guest, user), they can “scoop up” vast amounts of data grains, just like an administrator would, potentially compromising the system instantly.

The Traditional Data Breach:

The traditional data breach: the “threat” is able to navigate the network after “spoofing” the initial network authorization. Because the threat is able to act as an “admin” they can bounce between services, accessing apps, data and assets across the network. The threat is able to move laterally across the network because all of these services are co-located. The threat is able to be in “two places at once.”

Because of this inherent trust upon a first entry to the network, it’s no surprise that the ever-fluent methods of bad actors are quickly able to take advantage of these legacy systems. As the name suggests, “zero-trust architecture” aims to confront this vulnerability.

What is Zero-Trust Architecture?

Zero trust is a security model that assumes that no one or nothing inside the network is trusted. Within every interaction, every instance where data is communicated, the user must be authenticated. Imagine you’re logging on to a software platform that you use every day for work. You enter in your login credentials, gain access to the network, enter the portal that is specific to your position, interact with the platform and log off. A zero-trust framework would require authentication from every step, from log-in to access to interaction. While it sounds arduous for a user to need to perform an authentication action at every step, zero-trust systems are not just protected, but built on a macro-level to verify every interaction without disrupting the user experience. 

You can’t call it “Zero-trust” unless every interaction, movement and engagement is validated:

The "zero-trust" method: services exist “granularly,” where it is impossible for a user to exist on two services at once, and every interaction is authenticated.

Principles of Zero-Trust 

Zero-Trust utilizes several principles to protect data without disruption. This multi-faceted approach employs several methods to achieve comprehensive and cohesive data protection:

The concept of zero-trust architecture was first conceived in 1994 by researcher Stephen Paul Marsh in his doctoral thesis, laying the groundwork for the concept of treating “trust” as a finite and measurable element in computer security. Since then, it has been implemented sparsely, and wasn’t completely defined until The National Institute of Standards and Technology (NIST) published its Special Publication 800-207, "Zero Trust Architecture." In this new threat landscape and the advent of cloud computing, many minds are turning to this hardlined approach to data security.

One thing that sets Dave’s approach to zero-trust is his implementation of analyzing user engagement patterns, which will be discussed further in the next article in this series, where we’ll explore how zero-trust framework can be implemented across an organization’s network.

While the breadth of cyber threats has shifted from victimizing retirement funds via gift card scams to attacking large institutions, it’s important to remember: this isn’t an effort to protect big business, but our best effort to protect the integrity of personal data. A line in the sand must be drawn regarding our privacy, and since we Americans aren’t able to simply detach ourselves from commerce, cloud data and engaging with these ever-present services, we must insist on our service providers that they take this uncompromising approach to data security.

Artwork By Jacob Lasswell & Jet Velasco