Why the world needs Zero Trust Security for email

Hackers are always working on new ways to infiltrate a network. As they continue to get more and more sophisticated, even the White House can’t always detect them. IT security teams need to consider new frameworks to protect their networks.

The healthcare industry is a notorious target for cyberattacks, and traditional cybersecurity measures simply aren’t effective anymore. Zero Trust Security for email may well be the answer.

What is Zero Trust

Zero Trust is a security framework that assumes that every person or device requesting access to a network is a potential threat. It is an emergent security strategy requiring a user validate their identity multiple times before gaining access, and even then, the user doesn’t get full access to the network.

According to TechBeacon, COVID-19 is accelerating the adoption of the model since users are more likely to access sensitive information remotely.

No single technology is associated with Zero Trust. Instead, it’s a comprehensive framework that incorporates several different principles and technologies.

Here are the guiding principles behind Zero Trust Security:

• Nothing and no one is automatically trusted. Attackers could come from either inside or outside of a network.
• Least privilege access. Users only get as much access as they need, thereby limiting exposure to sensitive data.
• Microsegmentation. Security perimeters are broken up into small zones to maintain separate access for separate parts of the network.
• Multi-factor authentication (MFA). A core value of Zero Trust Security, MFA means more than one piece of evidence is required to authenticate a user.
• Strict controls on device access. Zero Trust Security systems monitor how many different devices are trying to access a network and ensure every device is authorized.
• Real-time activity monitoring. It is critical to spot abnormalities in behavior in real time in order to shut down a possible hacking attempt immediately.

Why we need Zero Trust for email

According to Coveware’s most recent Q4 2020 report, email phishing overtook remote desk protocol (RDP) compromises as the dominant attack vector last year. Deloitte’s research also finds that 91% of all cyberattacks begin with a phishing email. Even the recent massive Colonial Pipeline ransomware attack was most likely caused by an employee falling for a phishing email.

These days, bad actors are using American tech companies to send malicious emails, such as Amazon SES, Sendinblue, and Mailgun. This puts malware out of reach of the early warning system run by the National Security Agency (NSA) because it is prohibited by law from conducting surveillance inside the United States.

In other words, we can no longer trust email sent from American hosting and infrastructure companies.

Nation state threat actors are sending sophisticated email phishing campaigns that pass the following security checks:

• DNS Real-time Blackhole List (DNSRBL). This frontline defense system checks whether a sending IP address is on a blacklist of IP addresses reputed to send malicious email.
• Sender Policy Framework (SPF). An email authentication method that indicates that a mail server is authorized to send email for your domain.
• DomainKeys Identified Mail (DKIM). Another email authentication system that uses digital signatures to allow the receiver to check that an email was indeed authorized by the owner of that domain.
• Domain-based Message Authentication, Reporting and Conformance (DMARC). Yet another authentication protocol that leverages SPF and DKIM to determine the authenticity of an email message.
• DomainAge. Newly registered domain names sending email are a red flag and quarantined.

Malicious emails pass these checks because the bad actors registered new email domains, sat on them for years so they did not raise any red flags, took the time to configure and maintain their accounts correctly, and then hid behind American companies inaccessible to the NSA.

Therefore, in order to keep up in the cybersecurity arms race, what’s needed is a Zero Trust Security framework for email.

How Zero Trust for email can work

As part of a Zero Trust framework for email, MFA can be reimagined as an authentication method not for a user, but for a machine.

Let’s say a mail server is attempting to send you an email. During the SMTP conversation between mail servers, the sender claims it is a part of Amazon’s SES platform, and your MX record host verifies that this is true because it passes the security checks outlined above.

However, with a Zero Trust for email paradigm, those checks aren’t good enough. One more piece of evidence is required to authenticate that the email is truly legitimate and not a phishing attack cloaked under the guise of Amazon’s email platform.

I believe this new piece of evidence should be unique to each customer and be updated based on usage over time. In other words, it must be very difficult for bad actors to impersonate.

This new approach will yield a unique form of MFA, an additional piece of evidence required to authenticate an email. It would be especially useful for healthcare providers that not only need extra security to send HIPAA compliant email, but also must block incoming cyberattacks.