The late Warren Bennis, a pioneer in the contemporary field of Leadership studies, once stated, “Trust is the lubrication that makes it possible for organizations to work.” He could have replaced the word “organizations” with “world” and he still would have been correct. Trust has always been the foundation upon which the global economy has been built. Traditionally, however, trust must be earned. Here’s the rub: As more companies continue their digital transformation journey and, as more devices connect to the internet, trust is becoming a more difficult virtue to verify. As a result, zero trust security (ZTS) environments are becoming a necessity. Rajesh Maurya, a regional Vice President of Sales at Fortinet, explains, “Zero trust operates on the premise that there are constant threats both outside and inside the network. Zero trust also assumes that every attempt to access the network or an application is a threat. It’s a network security philosophy that states no one inside or outside the network should be trusted until their identity has been thoroughly verified.”[1]
The Basics of Zero Trust
Although zero trust security sounds self-explanatory, security reporter Lily Hay Newman (@lilyhnewman) explains, “The cybersecurity world’s favorite catchphrase isn’t any one product or system, but a holistic approach to minimizing damage.”[2] She elaborates, “For years a concept known as ‘zero trust’ has been a go-to cybersecurity catchphrase, so much so that even the notoriously dilatory federal IT apparatus is going all in. But a crucial barrier to widespread adoption of this next-generation security model is mass confusion over what the term actually means. With cyberattacks like phishing, ransomware, and business email compromise at all time highs, though, something’s gotta change, and soon. At its core, zero trust relates to a shift in how organizations conceive of their networks and IT infrastructure.” If you are wondering what was wrong with the old way of securing networks, Newman sums it up pretty well. She writes:
“Under the old model, all the computers, servers, and other devices physically in an office building were on the same network and trusted each other. Your work computer could connect to the printer on your floor, or find team documents on a shared server. Tools like firewalls and antivirus were set up to view anything outside the organization as bad; everything inside the network didn’t merit much scrutiny. You can see, though, how the explosion of mobile devices, cloud services, and remote work have radically challenged those assumptions. Organizations can’t physically control every device its employees use anymore. And even if they could, the old model was never that great to begin with. Once an attacker slipped by those perimeter defenses, remotely or by physically infiltrating an organization, the network would instantly grant them a lot of trust and freedom. Security has never been as simple as ‘outside bad, inside good’.”
Maurya agrees with Newman that a zero trust environment involves much more than firewalls and antivirus programs. He explains, “Every environment needs to have consistent zero trust. It’s a cultural shift, which is often a bigger change than the technology shift. It involves a mindset and a commitment to changing how access is granted and how security is maintained across the organization.” Newman was correct when she noted that the U.S. Federal Government was going all-in creating a zero trust environment. In January 2022, President Biden released a memo instructing federal agencies to officially move towards a zero trust approach to cybersecurity. Tech journalist Dev Kundaliya reports, “Federal agencies have until the end of fiscal year 2024 to meet the strategy targets, which are based on a zero-trust model created by the US Cybersecurity and Infrastructure Security Agency (CISA). The document spells out dozens of security measures that federal agencies must implement in the next two years to secure their systems and networks, and to limit the risk of security incidents. They include widespread encryption, multi-factor authentication, and more rigorous network segmentation.”[3]
Creating a Zero Trust Environment
Even in a zero trust environment, people are generally the weakest security link. Business writer Louis Columbus (@LouisColumbus) reports, “Employee identities are the new security perimeter of any business. 80% of IT security breaches involve privileged credential access according to a Forrester study.”[4] To confront this challenge, Columbus insists organizations need to implement Next-Generation Access (NGA). He explains, “NGA validates every access attempt by capturing and quickly analyzing a wide breadth of data including user identity, device, device operating system, location, time, resource request, and several other factors. As NGA is designed to verify every user and access attempt, it’s foundational to attaining Zero Trust Security across an IT infrastructure.” NGA often involves Multi-Factor Authentication (MFA).
Infrastructure is the next concern in a Zero Trust Security environment. The staff at Palo Alto Networks explains, “Infrastructure can be anywhere, and everything is increasingly interconnected, making the elimination of implicit trust even more critical. You can no longer simply trust IT equipment such as printers or vendor-supplied hardware and software because IT and workplace infrastructure are increasingly connected to internet-facing apps that centrally command and orchestrate them. Anything internet-facing is a risk to your organization. Physical locations are increasingly run by connected things, including IoT, which typically have more access than they need. Traditional IT patching and maintenance strategies do not apply here — cyber adversaries know this is ripe for exploitation.”[5]
A final concern is connectivity. Gary Kinghorn, Managing Director at Tempered Networks, explains companies too often focus on devices, when they ought to pay more attention to network connectivity. He notes that so-called “smart” devices connected to the Internet of Things (IoT) can lull organizations into a false sense of security. “They’re very simple devices. They’re never going to be sophisticated enough to analyze a legitimate network connection or data request.”[6] The key is to make sure that attack vectors aren’t available to hackers. And to do that, systems need to adopt a “zero-trust” model for authorizing entry. He calls the network itself “the real hole” in security. He insists the only way to create a genuine zero trust security environment is to not “trust anything that’s trying to attach to your network, even apps or devices of your own internal users, unless they’re specifically authorized.” He adds that a zero-trust environment ensures that “all traffic moves through the network encrypted, so there are no interceptions or man-in-the-middle attacks.”
John Kindervag (@Kindervag), field CTO at Palo Alto Networks, suggests organizations must take five steps when trying to create a zero trust security environment.[7] They are:
Step 1. Define the potential attack surface that needs protection and reduce it to its smallest possible size. The surface can be categorized by DAAS: data, assets, applications and services.”
Step 2. Map where transactions flow.
Step 3. Build zero trust architecture, which will show where the controls need to go. Protect the attack surface surrounded using a micro-perimeter policy, segmentation gateway and then policy management.
Step 4. Create the policy that articulates the who, what, where, when, why and how of traffic. A zero trust policy will be able to decide who can pass the micro-perimeter.
Step 5. Monitor and maintain the zero trust architecture for “an anti-fragile system.”
Concluding Thoughts
Columbus concludes, “Taking a Zero Trust Security (ZTS) approach to ensure every potential threat surface and endpoint, both within and outside a company, is protected, has become vital in today’s dynamic threat landscape. ZTS is an essential strategy for any digital business whose perimeters flex in response to customer demand, are using the Internet of Things (IoT) sensors to streamline supply chain and production logistics, and have suppliers, sales teams, support, and services all using mobile apps.” The Palo Alto Networks staff adds, “Deployed properly, the Zero Trust Enterprise is a strategic approach to cybersecurity that simplifies and unifies risk management under one important goal: to remove all implicit trust in every digital transaction. This means regardless of the situation, user, user location, device, source of connection, or access method, cybersecurity must be built in by design in every network, connection, and endpoint to address the modern threat landscape.”
Footnotes
[1] Rajesh Maurya, “Why Zero Trust is Key to a Successful Digital Enterprise,” CXO Today, 6 September 2021.
[2] Lily Hay Newman, “What Is Zero Trust? It Depends What You Want to Hear,” Wired, 21 September 2021.
[3] Dev Kundaliya, “White House begins zero trust rollout for federal agencies,” Computing, 25 January 2022.
[4] Louis Columbus, “Analytics Are Empowering Next-Gen Access And Zero Trust Security,” Forbes, 24 June 2018.
[5] Palo Alto Networks staff, “Architecting the Zero Trust Enterprise,” CIO, 22 December 2021.
[6] Robert J. Bowman, “Why ‘Zero Trust’ Is the Best Way to Shore Up IoT Device Security,” SupplyChainBrain, 17 May 2021.
[7] Samantha Schwartz, “Zero trust 101 and the art of healthy skepticism,” CIO Dive, 1 October 2019.