Is zero trust hype or real? Is implementing zero trust a worthwhile endeavor?
During a session I attended at Akamai Edge World 2019 in Las Vegas earlier this month, the panel moderator asked a group of CISOs a simple question: Is zero trust the real deal or the latest buzzphrase in cybersecurity?
After that session, I had the opportunity to bring that up with two of Akamai’s zero trust experts: Lorenz Jakober, director of Product Marketing, and Patrick Sullivan, global director of Security. Sullivan was the moderator who asked that question to his panel, but apparently, it is one the Akamai team asks its customers frequently. They get a lot of eye rolls from those who think it is nothing more than the latest buzz term, said Jakober.
“Once that initial conversation has happened and you begin to discuss the underlying principles and architecture, there is usually agreement that there is value in the framework,” Jakober continued, “as long as it’s aligned to the overall approach to zero trust, versus a zero-trust product or solution.”
Zero Trust Basics
Zero trust isn’t a new concept, but one that seems to be, well, a bit buzzy right now. According to CSO, the zero trust architecture was developed nearly a decade ago by John Kindervag, then a principal analyst with Forrester. What drives zero trust is, essentially, trusting no one. It is “… centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access,” CSO reported.
CISOs see zero trust as a blessing and a curse, said Sullivan. On the curse side, yes, it is a catchy phrase, and while it appears to be pretty straightforward—trust nothing!—there are some confusing elements to be addressed. For example, does zero trust also mean not trusting employees?
“On the pro side, there is real merit to the framework and the concepts that are capsulated in zero trust,” said Sullivan. “This call to get to zero trust is driving action to do those fundamental security tasks that might otherwise never gotten done.”
It is a buzzphrase that has resulted in people taking action in improving their overall security posture.
How to Bring Zero Trust to Your Organization
The best way to get started implementing zero trust and creating a zero-trust framework is just to do it. Pick an app and go. Sullivan said the approach to zero trust tends to fall into two groups. The first has its zero-trust team, and 12 months later, they are still having weekly meetings but otherwise have done nothing because they’re designing this nirvana architecture.
The other group picks one app as a test model. This group isn’t afraid to experiment and fail; they’ll learn some lessons as they figure out a zero-trust approach. When it is time to onboard a second app, the process will go faster because the group knows what works and what doesn’t. By the fifth or sixth app, the process is streamlined.
“Start slow by picking a non-critical app that the business can take some risk with,” said Sullivan. “Once you get moving, it’s easier than you think, but action is better than planning.”
The trust nothing—or trust and verify—model for implementing zero trust should be centered on the applications and the access to those applications. You should trust your employees that they are who they say they are. This means having a strong understanding of the user’s identity, solid authentication methods and knowing the posture of the device to make risk-based deliberate decisions to grant access. “But our default decision is to deny, rather than our default decision to allow,” said Sullivan.
To allow, you have to know who is on the network. Jakober noted Akamai has the capability to assess access and risk based on a trust score. “You ultimately define the risk score for a particular entity or device on a number of signals to get access to applications,” he said. “For example, is the device beaconing out to a malicious website? If so, that device shouldn’t be getting access.”
Start the Journey
What Jakober and Sullivan both stressed is that you can’t create a zero-trust architecture by just talking about it. Yes, you need to develop a plan so you aren’t jumping in blindly, but don’t be intimidated if it takes a while to figure out the framework. Think about your long-term goals and your business plan to understand how and where zero trust fits.
Don’t be afraid to evangelize your success in your attempts at implementing a zero-trust framework. Talking about it, Jakober said, helps spread the word throughout the company, and that leads to getting funding and executive buy-in to continue the journey.