In the world of cybersecurity, much has been said about the zero-trust paradigm over the years, and with good reason. The basic tenets of the early days of information security have been overshadowed by events and technical evolution. On Feb. 26, the U.S. National Security Agency (NSA), supported by CISA and the US-CERT, issued guidance in the document, “Embracing a Zero Trust Security Model” (pdf 7-pages). Many consider the guidance to be late to the infosec party; early adopters have been building applications and constructing their infrastructure to align with the paradigm for years. Others will see this guidance as both new and complex.
The NSA guidance explains, “The Zero-Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.” Governments have been using this “need to know” paradigm since time immemorial when dealing with state secrets; though, given the number of insider threat cases being prosecuted that involve government insiders, one is right to question the efficacy/implementation of a “need to know.”
John Stewart, former SVP and CSO at Cisco and now president, Talons Ventures, noted, “The whole notion of a perimeter-based architecture, the ‘castle-moat,’ if you will, is over. You won’t stop an adversary if your environment is weak, or relies on outdated architecture from the 1990s, or trusts too much what is on the inside. In today’s environment – heck, in yesterday’s environment – I honestly have no idea how you could feel reasonably secure; unless you’re following zero-trust principles. Systems, devices, mobile, software, configurations, topologies, controls, logging – everything needs to be checked, and checked again and again and again. Enough said.”
NSA’s Zero-Trust Principles and Concepts
- Zero-Trust Principles:
- Never trust, always verify.
- Assume breach.
- Verify explicitly.
- Zero-Trust Concepts:
- Define mission outcomes.
- Architect from the inside out.
- Determine who/what needs access to the data/assets/applications/services.
- Inspect and log all traffic before acting.
Brook Schoenfeld, master security architect and author, most recently with Dr. James Ransome, “Building In Security At Agile Speed” (Routledge 2021), tells us, “We can be heartened that [zero-trust] is, like threat modeling, gaining mind share. But I’m going to opine that every commercial [zero-trust] product, all taken together, doesn’t get us to where we need to be: always assume distrust. Grant only the privileges necessary for as long as needed, then revoke. This done with automation so that it’s manageable across billions of devices and trillions of lines of code.”
NSA recommends immediately beginning to integrate the zero-trust concepts into your established environment. They acknowledge it is not as simple as flicking the light switch, and that doing so carries with it operational expense. Nevertheless, every entity should be able to immediately review their access controls, ensure those who need access to information of import have such access, and those who do not need that access don’t have it.
In sum, adjusting your ecosystem to a zero-trust environment makes your ecosystem more trustworthy.