The Zero Trust model (opens in a new tab) is based on a simple concept, “trust nothing and no one”. Forrester notes that Zero Trust "is centered on the belief that trust is a vulnerability and that security should be designed with the 'never trust, always verify' strategy."
Specifically, organizations that adopt the Zero Trust model implement policies to verify everything and everyone, whether internal or external.
Although the Zero Trust approach has been around for more than a decade, first coined in 2009 by Forrester analyst John Kindervag, it wasn't widely adopted until very recently.
Zero Trust (opens in a new tab) has grown and modernized many aspects of IT security (opens in a new tab). For example, while traditional VPNs - opens in a new tab - still provide essential protections when connecting remotely from home to a corporate network, Zero Trust networks have taken telecommuter security to the next level by addressing specifically modern and expanding environments, such as the cloud. infrastructure, mobile devices and the Internet of Things (IoT).
In addition, the Zero Trust concept has transformed email security. Legacy email security solutions target only traditional types of attacks, such as spam or suspicious content in the body of a message, an approach that no longer holds up to today's advanced threat actors. A Zero Trust approach to email security, on the other hand, gives organizations the extra layer of protection needed to defend against even the most complex email-borne threats, such as phishing, social engineering, and compromise attacks. business email (BEC).
With email continuing to be the number one attack vector and email-based threats becoming more diverse, fast and sophisticated, it is essential that organizations apply the Zero Trust model to their email security strategy.
Put authentication at the heart of email security
Email-based threats have evolved beyond simple spam messages to highly sophisticated phishing attacks, including lookalike domains, display name spoofing, unauthorized domain ownership, and social engineering.
These attacks use spoofing techniques to trick the end user into believing that the sender and message are legitimate, typically by posing as another employee, business partner, or brand they know and trust. The goal is to trick employees into transferring money, downloading malware, or divulging sensitive information.
Taking a Zero Trust approach to email can help organizations defend against phishing attacks by emphasizing authentication, ensuring that email entering the business or reaching end users' inboxes is coming from of legitimate people, brands and domains.
The most effective way to do this is to implement security policies that ensure that no email is trusted and delivered unless it passes multiple authentication protocols, including:
SPF – Sender Policy Framework (SPF) records allow a domain owner to specify which host names and/or IP addresses are allowed to send email on behalf of the domain.
DKIM: DomainKeys Identified Mail (DKIM) allows domain owners (opens in a new tab) to apply a secure digital signature to emails.
DMARC: Domain-based Message Authentication, Reporting, and Enforcement (DMARC (opens in a new tab)) policies can prevent anyone except specifically authorized senders from sending messages using an organization's domain. Prevent malicious actors from sending phishing emails and domain spoofing attempts that appear to come from trusted brands. By adding DMARC to its Internet domain information, a company can discover who is impersonating its brand in emails, preventing those messages from reaching users.
To use DMARC, organizations must also have SPF and DKIM protocols. DMARC allows companies to set policies that are based on SPF and DKIM to tell email recipients' servers what to do when they receive bogus emails that spoof a domain. These options are to report the emails but do nothing, move them to a spam folder (quarantine), or reject them altogether. Finally, for organizations looking to implement DMARC, there are many resources available to help them get started.
In addition to authenticating email senders, it's also important to apply Zero Trust principles to email users. They too must authenticate themselves, and multi-factor authentication (MFA) is one of the most common and effective ways to do this.
Zero Trust doesn't stand a chance without employee involvement
While taking a Zero Trust approach to email security can significantly reduce an organization's risk of falling victim to email threats, the model alone is not 100% effective. Employees must also do their part.
Ultimately, the time, effort, and budget invested in the Zero Trust model will be undervalued if employees don't also adopt a Zero Trust mindset for everything they do in the office and at home (which is often the case these days). same). That's why ongoing cybersecurity awareness training is essential to defending against today's advanced threats.
For example, recent Mimecast research found that “bad clicks” tripled among remote workers at the start of the COVID-19 pandemic, when remote work (and lax cyber hygiene) became the standard. However, the same research found that only one in five organizations provide ongoing cybersecurity awareness training to end users.
Organizations should take the time to ensure that their employees are trained on how to spot and report suspicious emails. Inform them of the telltale signs of email phishing attacks, such as suspicious URLs and attachments, misspellings, and misplaced emergency tones. And make sure that if they question the legitimacy of an email, they have a direct and easy way to report it.
The Zero Trust concept may be simple, but implementing it can be much more difficult. With a focus on authentication and employee cybersecurity awareness training, you'll be well on your way to defending against even the most sophisticated phishing attacks and strengthening your organization's overall security.