Transforming Security Through Zero Trust
You may have heard the phrase “zero trust” being thrown around quite a bit lately. While it may sound dystopian, zero trust is, I believe, a framework that embodies not only a concept but some of the cybersecurity best practices available today for enterprises to significantly enhance their information and cybersecurity posture.
As a prescribed set of best practices, zero trust is not a single product or technology but rather represents formalized applied thinking about security that you can implement in your organization, in which people, policy, process and technology support that applied security approach.
So, what is this particular way of thinking about security? Zero trust is aptly named. It begins with a core set of assumptions:
- The network is always assumed to be hostile (or certainly untrustworthy); you are under attack, and somewhere, someone has already gotten inside.
- External and internal threats exist on the network at all times; assume you are already dealing with both outside adversaries and malicious insiders.
- Network locality doesn’t equal trust; you can’t trust a person or device just because they are part of the company or connecting from inside it.
- Every device, user, application, and network flow should be both authenticated and authorized; the former means positive confirmation that an entity confirms who/what they say they are; the latter means the entity has the need, rights and reasons to do what they’re doing.
Given these assumptions, zero trust offers an appropriately circumspect (some might say “justifiably paranoid”) set of key principles and needs in response.
Visibility. I saw a speech recently in which a CISO recounted that shortly after his arrival in a Fortune 500 company of 66,000 employees (plus contractors), he had asked the company’s network management provider roughly how many devices were on the network. They couldn’t actually answer the question and came back several weeks later with an estimate of approximately 80,000.
Believing from experience that the real figure would be significantly greater than roughly one per person, the CISO asked that this same provider to conduct an actual inventory to determine the real figure. This took significant time, but when all was said and done, the real figure approached 140,000 devices.
They were off by 50,000 devices! If you consider not only how many applications and services were running on those devices but also the variability of those, then the true complexity of an organization is understood.
This anecdote illustrates one of the two most basic questions that enterprises face when it comes to network defense. Those are “What’s on my network right now?” and, “What’s talking to what?” Visibility into both assets and traffic is shockingly less complete or current than many people would expect and has emerged as a key cybersecurity challenge for organizations with security pros citing it as a top reason their SOC’s are not performing optimally.
The first step in better securing the network, then, almost by definition, is to start with knowing what the heck is running on it, and what each of those things is doing and talking to. As noted above, a core tenet of zero trust is authenticating and authorizing every user, device, application and network flow. But you have to have sight of it first; you can’t authenticate, secure or manage what you can’t see in all corners of your enterprise beyond just the perimeter.
Defined—and enforced—policies. Policies need to be developed about what activities are allowed or prohibited, ideally enforced by active measures but certainly monitored for potential violations and threats by user/device as many methods and from as many sources, as possible. Policy enforcement and monitoring should include both behavioral and signature/pattern-based approaches. It should understand what is trusted and normal, so it can detect, alert and even respond automatically to untrusted and anomalous applications, traffic and network and user behavior. For example, an HR executive calling up a database with employee Social Security numbers on her laptop during business hours might be completely normal and expected. The person and device are authenticated, and the behavior is authorized. However, the same file called up at 2 a.m. or from a foreign location or by an unrelated department should be noted, and possibly prevented, by the ability to define and then enforce policies, inline and in real-time on the network.
These same types of policies can also be applied at the technical level. For example, a connection to a website using out-of-date encryption or a vulnerable antiquated browser could be detected instantly and blocked, reset or could trigger a process to upgrade the disallowed application. Thanks to automation, this can be performed immediately, not minutes or hours after the fact when an alert finally reaches the top of an analyst’s queue.
Microsegmentation. Furthermore, a foundational building block of zero trust is the concept of microsegmentation, which is a simple concept to illustrate if we translate it from the network to the physical world. For example, a security badge may allow individual access to an office building, but that same badge doesn’t guarantee similar access to the company’s data center within that building if that employee has no reason to ever go there. Imagine a building where financial data, secret projects, health records and other “crown jewels” are spread in 100 rooms. Employees’ badges should allow access to their department, the lunchroom and other shared spaces, but nowhere they don’t need to be. Microsegmentation works the same way. It advocates carving up the network into finer segments than just the building’s front door and establishes controls for each one. No more “once you’re inside, you have the run of the whole place.” The controls should also be based on the notion of least privileged access, meaning authorization is provided only to those who need access to a particular part of the network or data to do their jobs. Put another way, it starts by assuming you’re allowed to access nothing, and then carefully (even grudgingly) expands the rooms you can access in line with your duties, rather than assuming that if you’re an employee, you’re free to roam about as you please.
The tidal wave of digital transformation promises to liberate organizations to do great things. But we must apply as much strategic thinking to the way we protect systems and data as we do to unleashing their benefits. A zero trust approach to security can serve as an indispensable enabler of all this innovation. By enabling visibility, granular, informed policy enforcement, and microsegmentation through coordinated and automated response, enterprises can embark on those bold, transformational journeys while maximizing the chances that cyber adversaries will not slow them down.
