Modern business technology environments are hybrid and complex, consisting of a combination of on-premises, private and public cloud and “as-a-Service” solutions. Traditionally, enterprises relied on location-based services for information systems to support their business. This led to clearly defined borders and assumptions about resources that are considered trusted and untrusted. Many businesses have adopted or are in the process of moving toward a cloud-first strategy.
Cloud-mature organizations are those that completed a digital transformation to migrate existing workloads to cloud-based services and have revised operations accordingly, however, the mindset of defined borders largely remains in practice. This overview will describe the zero-trust philosophy which is designed to apply situational context when considering access to enterprise technology resources to reduce organizational risk. It will also touch on high-level considerations for Zero Trust planning and industry frameworks. Let’s start by defining the reasons businesses might consider moving away from traditional security practices, in favor of a Zero Trust approach.
Defining the problem…
Traditional security approaches practice a top-down model, where a clear delineation is established that defines trusted, or inside environments and untrusted or external environments. Though a shift had occurred that assumed attackers have already breached the perimeter security defenses and moving laterally, cyber-attacks continue to occur. To compensate, it is common for Information Security teams to install what I refer to as, “last mile” controls or safeguards. These include products that seek to solve a specific security challenge or gap, such as endpoint security software stacks (EDR, DFIR agents, etc.), Network Access Control, Data Loss Prevention products and application-aware or Unified Threat Management firewalls.
Though these technologies are helpful within limits of identifying and possibly preventing some cyberattacks, they often fail because they lack a holistic approach when attempting to apply security policy consistently across the enterprise. Also, traditional approaches do not consider insider threats, meaning threat actors that have gained access to the environment, such as an internal employee/contractor or a threat actor that has breached the perimeter. To compound the problem, access decisions tend to be binary in nature, meaning the user is permitted or denied access, typically based on a narrow set of criteria and only at a single point in time, during the initial access attempt. Also, the user’s device is usually not considered when making access decisions. Instead of reacting to specific information security challenges, the industry needs a new way of thinking, which is where zero-trust demonstrates value.
Zero Trust Overview
Zero Trust is a concept that seeks to solve the issue of borderless enterprise networks or environments without defined perimeters. It assumes that systems can be a combination hybrid cloud, on premises and data can exist anywhere, instead of at a distinct location (or data center). Zero Trust decouples the access relationship between network resources and network access, in favor of contextual security.
The concept behind Zero Trust is default deny, meaning trust is not implicitly granted based a narrow set of criteria. Rather, access to applications and information is held to a least-privileged standard, until the user can either demonstrate a pre-defined trust level or has achieved the designated access permissions.
Again, trust is not a single point in time, rather, Zero Trust practices will reassess the subject to ensure integrity has not diminished. This continuous re-valuation is one of the core principles of Zero Trust. The user’s location is also no longer an indicator of trust, for example a user connected to the internal environment. This seeks to eliminate excessive or implicit trust. Another core principle applies least privilege as a standard, where access is only allowed to a subset of applications or the network.
This approach works very well for organizations that leverage either a BYOD program or unmanaged devices for business partners or third parties. Access policies are also developed to assign or rate trust levels based on the integrity of the device and permission to access resources are granted accordingly.
Planning for Zero Trust: 7 Tips For Implementation
Organizations considering adopting Zero Trust as a guiding principle may consider the following as a starting point for developing their journey.
- Critical Assets – Identify assets critical to the business, including, on-premises/cloud-based systems, sensitive data, critical business applications, intellectual property, regulatory data, etc. Preferably, using an automated process on a scheduled cadence.
- Authentication – Develop authentication policies that define a standard of access to the organization, location independent. Identify methods to authenticate the device, including ensuring data integrity along the way.
- Access & Authorization Policies – Established access policies based on least-privileged principles and ensure policy is applied consistently across the enterprise.
- Data Flows – Document data flows and understand how information is processed, transacted, communicated, and stored. This includes interactions with third parties and understanding their approach to these activities.
- Monitor – Monitor the environment for “interesting” behavior. I cannot stress this enough, “know your environment” and configure tools appropriate to detect anomalous behavior. Establish a maturity process so monitoring is consistently improved and evolves as business requirements evolve.
- Segmentation – Segment the environment, especially critical assets. The goal is to limit privilege escalation and lateral movement. Establish appropriate controls so a threat actor would trip alarms or make noise as they attempt to move laterally through the environment.
- Meaningful Metrics – Develop key metrics to track and report progress of the Zero Trust journey. This is helpful when engaging the board on Zero Trust to drive conversations. Include defining success criteria and expected outcomes of each milestone
A Word About Frameworks…
Frameworks are a rational method for aligning a security program to a standard model. They provide program stability and facilitate an auditable function. Frameworks tend to be prescriptive in nature, which is useful to demonstrate and inspire confidence in leadership including fostering dialogue in the boardroom. They also provide mechanisms for reporting metrics on a business’s Zero Trust journey. I caution the use of frameworks as it may lead to a checklist mentality for compliance efforts. It has been said before that there is a fine line between satisfying a “checkbox” and thoughtful selection of a control or safeguard. There are two zero-trust frameworks that are receiving significant industry attention, the “CISA Zero Trust Model” and the “NIST Zero Trust Architecture 800-207”, although an in-depth analysis is outside the scope of this overview.
Final Thoughts
Zero Trust is making its way into almost every conversation in the board room. I would consider it the latest paradigm shift and security model, as executives seek new methods to reduce the exposure of their businesses to cyber risks. It is important for organizations considering Zero Trust to develop a road map, clearly define successful outcomes, obtain executive support, and establish key reporting metrics that align with core business values.
