At the start of the year, RSA predicted that the world would see increased ransomware attacks. That was due in large part to how bad things already were at the close of 2023: human-operated ransomware attacks were “up more than 200 percent” since September 2022, and ransom payments reached a record high of more than $1 billion in the U.S. alone last year.
If anything, our prediction was too conservative. Because while ransomware has continued to flourish in 2024 (UnitedHealth Group alone has reportedly lost more than $3 billion due to the Change Healthcare attack), there are many more threat vectors that will throw gasoline on the cybersecurity fire in 2024.
This year, more than 60 countries will have national elections. January’s “mother of all breaches” revealed 26 billion records (or 12 terabytes) from across LinkedIn, Twitter, Weibo, Tencent, and other platforms. In May, Ticketmaster and Live Nation lost 1.3 terabytes of data, including PCI information. Security and technology vendors themselves are being breached even as phishing-as-a-service rings spread.
All this adds up. Together, these trends give adversaries more data to exploit, more targets to steal from, and more opportunities to either disrupt the electoral process or co-opt their inherent emotion and urgency.
And the world is taking notice: I don’t think my team has had to respond to as many security questionnaires from customers and prospects as they have this year. Auditors and regulators are taking a zero tolerance approach when it comes to renewing FedRAMP, FIDO, FIPS, and other certifications.
Don’t get me wrong: regulators, auditors, and customers are right to be concerned. Those are appropriate responses to an aggressive and unrelenting threat landscape. But more probing questionnaires and stricter audits aren’t nearly enough. Every organization must overhaul its entire security architecture and move toward Zero Trust.translated
We believe that the Gartner® Report, Quick Answer: What are the Core Principles of Zero Trust?, clarifies the concepts that make Zero Trust so powerful.
The report notes that there’s a great deal of confusion with what industry leaders mean when they say ‘Zero Trust. “Gartner clients express frustration with the lack of simple and commonly agreed-upon zero trust principles. Security and risk management leaders can standardize on five core principles to move their organization’s zero-trust strategy forward.”
The report provides insights into the purpose and implications of each of those five principles. We feel that Zero Trust can’t be purchased—it must be earned. Organizations need to do the work to move Zero Trust from a theoretical paradigm to a working practice. What’s also clear is that three of the five concepts emphasize the role of identity in keeping organizations safe:
- “Establish identity”
- “Limited access”
- “Provide Risk-based adaptive access”
translated
It’s not just the threat landscape that’s pushing organizations to move to Zero Trust. In the U.S., new cybersecurity requirements are also pushing government agencies to improve their cybersecurity architecture. Executive Order M-22-09 details how organizations should implement “a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024.”
The executive order describes its rationale for moving to Zero Trust: “In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” and that “A transition to a ‘zero trust’ approach to security provides a defensible architecture for this new environment.”translated
The 2024 Zero Trust deadline and an evolving threat landscape motivated the United States National Institute of Standards and Technology (NIST) to update its cybersecurity framework (CSF). NIST CSF 2.0 represents a new gold standard in cybersecurity. Importantly, the new framework applies to all organizations—and no longer just critical infrastructure.
NIST CSF 2.0 also emphasizes identity’s core security role. The framework notes that identity is critical to protecting organizations, stating that identity is required to protect organizations: “Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized users.”
NIST CSF 2.0 also details how organizations can advance their cybersecurity maturity, noting that the highest security stances use “real-time or near real-time information to understand and consistently act upon cybersecurity risks.”
RSA recently published a solution brief detailing some of the biggest changes to NIST CSF 2.0 since the first iteration and identity’s prominent cybersecurity role.translated
Given that most attacks begin with or involve identity, we feel organizations must move beyond seeing identity as an IT function and view it through a security-first lens. It’s also why we’ve developed the identity security components organizations need to meet the Zero Trust principles detailed in NIST CSF 2.0 and the Gartner report, including:
- Identity governance and administration (IGA): RSA® Governance & Lifecycle ensures the right user has the right access to the right resources at the right time. The solution integrates across applications, systems, and data to ensure users have access only to what is essential for their roles—and flags discrepancies for security teams to investigate
- Risk-based analytics: RSA® Risk AI uses machine learning, behavioral analytics, and business context to intuitively determine risk in real-time and automate step-up authentication
- Multi-factor authentication (MFA): RSA is practically synonymous with MFA. We provide a range of MFA protocols—including FIDO, biometrics, OTP, QR code, mobile push, and more—to secure all users and all use cases across cloud, hybrid, and on-premises
The frequency and severity of attacks are becoming too great for organizations to ignore. Moreover, they’re demonstrating why cybersecurity can’t solve new problems using old solutions.
Organizations must have zero tolerance for identity solutions incapable of meeting this moment and moving to Zero Trust, which represents one of the most effective ways for organizations to adapt to new threats.translated