We are still unconvinced that we will ever know the full extent of the damage from what is perhaps classified as the worst data breach ever. The compromise of the SolarWinds Orion platform has impacted approximately 18,000 public and private sector customers according to Cyber Unified Coordination Group (UCG). The UCG also said that the Russian-backed Advanced Persistent Threat (APT) group is most likely responsible for the SolarWinds hack. As the investigation continues, we are learning more and more details about the attack and those impacted.
What we do know is that the attackers spent many, many patient months learning about the SolarWinds environment and determining the best and most effective way to insert backdoor access into the Orion product. The supply chain attack was extremely sophisticated and a real wake-up call for cybersecurity professionals.
It is now painfully obvious that the traditional castle and moat designs for security don’t work in these modern computing days. We can’t just create perimeter security by walling off our resources and controlling access through a firewall. We are very much a mobile workforce and many of the services we utilize in our law practices are cloud based. We need a new approach to secure access to the confidential data law firms possess.
The National Institute of Standards and Technology (NIST) released the final version of its Zero Trust Architecture (ZTA) publication (NIST Special Publication 800-207) in August 2020, which will help organizations deploy a security model for the future. The National Security Agency (NSA) and Microsoft are also advocating for Zero Trust Architecture to help combat sophisticated cyber-attacks such as SolarWinds.
The obvious question is…what is zero trust? The concept of zero trust networks has been around for at least a decade, but cybersecurity events such as SolarWinds and attacks on Microsoft on-premise Exchange servers has brought renewed focus to the Zero Trust discussion.
The NSA stated, “The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.”
In other words, trust nothing and constantly verify. It gives new meaning to Ronald Reagan’s words, “Trust, but verify.”