What does ‘zero trust’ really mean?
Invented in 2010 by Forrester Research, Zero Trust is a cybersecurity model that organizations can leverage to eliminate dangerous and implicitly trusted interactions between users, machines, and data. The Zero Trust model provides a process for organizations to protect themselves from threats no matter where the threat originates – whether from around the world or from Sandy down the hall. The three main principles that must be followed to realize the benefits of this model are:
- Ensure that all resources are securely accessed, regardless of location.
- Adopt a strategy with fewer privileges and strictly enforce access control.
- Check and record all traffic.
11 years later, these ideas and principles have matured in the face of increasing digital transformation, remote work, and the proliferation of your own devices. New principles have been developed in light of the US federal government’s Zero Trust mandate, codified at NIST 800-207 with more detail in NCCoE’s Zero Trust Architecture. These principles are:
- Shifting from network segmentation to protecting resources such as assets, services, workflows, and network accounts.
- Do separate authentication and authorization functions (both subject/user and device) in each session using strong authentication.
- Ensure continuous monitoring.
Why is this important in cybersecurity?
The move toward Zero Trust has been one of the most significant shifts in how businesses approach security. Prior to adopting a zero-trust mentality, most companies attempted to run security as a closed function. Once the transaction is validated in the fenced area, it is trusted instinctively.
This approach presents a problem because threat vectors do not always originate outside that region. Also, the entire world continues to embrace digital transformation and a mixed workforce, eliminating the concept of resources that are only behind the gate. Zero Trust methods require that every element of every interaction is continuously validated – no matter where it occurs – including all users, machines, applications, and data. There is no room for implicit trust.
What’s the spin on this buzzword?
Many vendors today are producing Zero Trust, calling their products “Zero Trust solutions” in their own right, rather than acknowledging that Zero Trust is a strategic model and framework, not a product solution. Looking at the cybersecurity marketplace, you’ll see sellers trying to claim that the supposed title is the Zero Trust Player.
However, upon closer inspection, these sellers typically only deal with one principle of zero-trust. For example, creating tunneling services between users and applications. This is in line with the second original principle: adopt a less privileged strategy and strictly enforce access control. However, the same vendor may fail on the first principle: ensuring that all resources are accessed safely, regardless of location. When they implicitly trust that the user is not a vector of the threat, they are not looking for malware or exploits inside the tunnel.
Others may cover only some aspects of the original principle one, such as attempting to claim identity and authorization checks that make trust null and void. Vendors may also suggest that only web-based traffic should be scanned. However, when only partial coverage of the model is implemented, companies risk creating an implicit trust that opens them to weaknesses that would otherwise be covered in the remaining principles.
Our tip: What should executives consider when embracing zero-confidence?
The first step is to reframe your thinking about how organizations are secured, moving from a closed approach to one that constantly checks all interactions. To help make this transformation:
- Identify the resources your company needs to protect, where they are located, and the interactions that must flow around, in and through them.
- Remember that users, applications, and infrastructure/devices must be covered in every interaction they create.
- Understand that interactions consist of identity, access, device/workload, and transactions.
Then enact changes with a plan, starting with the users, assets, and interactions that matter most in your organization. These will be your crown jewels and things that may be related to finance or intellectual property. Then, over time, expand your jurisdiction to include all interactions. The plan should cover how users, applications, and infrastructure will move through each of the four parts to interact when a resource is requested.
The final step in this transformation is already a recurring event: maintenance and monitoring.
- Take advantage of constant monitoring to account for everything that happens against intermittent checks.
- Look for ways to improve the current model as standards continue to evolve as more and more interactions are covered.
Questions to ask your team to successfully build mistrust
- What are the important datasets, applications, and functions of the system?
- How do we secure each of the four parts of every interaction with these resources, regardless of who or what requests them?
- What is our plan for continuous monitoring of significant events such as logs to facilitate baselines and abnormal behavior detection?
- What is our strategy for selecting vendors that will help us achieve our Zero Trust goals, and what more will we need and products can’t cover?
- What is the strategy to go from covering one supplier to covering all resources completely, and what kind of scalability of products and people will we need to do that?
To learn more about what Zero Trust complete security looks like, click here.