Author: Nigel Thorpe, Technical Director at SecureAge Technology
The traditional security model assumes that everything inside the corporate boundary is safe and trusted, and anything that comes from the outside must be treated with suspicion. There are three fundamental problems with this approach.
Firstly, the concept of ‘inside’ the corporate boundary is very tricky these days, particularly with the rapidly growing number of remote workers. Customers, partners, and the supply chain all expect to use ‘inside’ resources, and should cloud services be considered ‘inside’ or ‘outside’? The increasingly porous nature of corporate networks has been discussed for a long time.
Secondly, it is highly likely that every organization will get hacked. One needs to look no further than SolarWinds, FireEye, and various US Government departments to see that even the best-protected networks can be breached. By conceding this, the CISO must accept that not everything ‘inside’ can be trusted.
Thirdly, there is the rogue employee. From an IT security point of view, this is an individual who is ‘inside’ and is trusted, with access to a range of systems and data.
So, if the conventional wisdom of corporate security is flawed, what are the options?
What is Zero Trust?
The idea of Zero Trust stems from the realization that trust in the digital world represents a vulnerability – so, trust in this context is a bad thing. In traditional architecture, access to an asset is granted simply because the user is logged on to a system on the inside, and therefore trusted.
The Zero Trust model turns this on its head to eliminate trust from the IT architecture. Now, whenever an attempt is made to access an asset, for example, a network segment, the user must authenticate to prove their identity and to check their authority to be granted access. With this context and identity-aware approach to IT asset access, any successful cyber-attack has only limited scope.
Zero Trust assumes that nothing on the inside can be trusted implicitly. Each asset – like endpoints, applications, and data stores – has a defined protect surface. To get through this shield, a transaction must conform to a policy that enforces specified transaction flows and authentication requirements.
What is the Business Value?
This all sounds very complicated and expensive. As an analogy, Zero Trust effectively places guards at every door in the building rather than just having one security guard on the front door. And each guard has their list detailing what people are authorized to do if they are allowed to enter. How does the business benefit from these controls?
The Zero Trust principle enables people to work in the most efficient and convenient manner, which increases business efficiency and productivity. Now that protection is part of the IT asset itself, users can make use of assets from any location, using any device. If commentators are correct, there will be continued flexibility within the post-pandemic workplace, so a Zero Trust architecture will provide tools to support this more securely.
Business agility is also improved. Applications, data, and services can all be moved, modified, and amalgamated without needing to be concerned about the security of its containing environment since the protected surface is an attribute of the asset, not where it happens to be.
Finally, risks are reduced, leading to a lower likelihood of a successful attack or data breach.
Much like the very real and current balance between public health and the economy, all cybersecurity measures – Zero Trust included – must balance usability and security. As an example, most Zero Trust implementations go hand-in-hand with some kind of Single Sign-On solution. This balances convenience and efficiency against the strength of security. Users are not constantly pestered for their user credentials, while behind the scenes authentication is being managed on their behalf.
Tip the balance one way, and productivity takes a dive, while the other way increases the risk of data theft and disruption.
Fortunately, Zero Trust is something that can be deployed in a piecemeal fashion. By gradually segmenting a network and placing controls such as multi-factor authentication, principles of least privilege, and the validation of all endpoint devices, the organization can grow the Zero Trust architecture from a small base, eventually covering the entire network.
However, this is often as far as organizations get with deploying Zero Trust. What if some external party manages to evade all these controls and access IT assets? What if a member of staff decides to go rogue? What if a software vulnerability is exploited, leading to data theft? SolarWinds springs to mind.
The problem with most Zero Trust implementations is that they don’t take the concept far enough. They end up with a network that has many ring-fences, each with its controls. However, the data inside the fences is not secured, so anyone that manages to get inside will have free reign over information stored.
It Must be Assumed that the Organization will be Hacked
In implementing Zero Trust, it is common for an organization to segment the network, identifying the most sensitive data and assets and separating them from the rest of the network, protected behind secure fences.
Leaving aside the significant problem of accurately defining, identifying, and segregating this most sensitive data, one major pitfall with this concept is that humans are involved, and humans do what’s most convenient rather than what’s expected from an IT security point of view.
A ransomware attack that is becoming more prevalent is where a specific senior executive is targeted. Once the cybercriminal has gained system access, they look for information that will cause maximum embarrassment for the target. This could be corporate – like legal action against the company – or personal. Either way, the information tends to be held locally and not in the supposedly secure vaults established by the IT department.
Organizations must implement an additional layer of technology in their Zero Trust architecture that builds security right into data – all data in all locations. This can be achieved by enforcing data authentication and by encrypting each data file. This way, the ‘crown jewels’ that a Zero Trust architecture is built to protect are being protected inherently, whether stored in the ‘secure vaults’ or anywhere else.
Should One Trust Zero Trust?
Yes and no. If all a Zero Trust implementation does is to chop up a network, then it will reduce the scope of some cyber-attacks. But what about insiders? Or compromised user accounts? Or socially engineered attacks? The list goes on.
Many data breaches are due to someone using a valid user account to access information. These apparently legitimate users have access to data that can then easily be stolen because the data has no inherent, built-in protection.
While the concept of Zero Trust is valid, the implementation must be taken right down into the data – all data, everywhere. Simply building more fences around data is just beefing up the old castle and moat architecture. By extending protection inside data itself one can truly say that Zero Trust is trustworthy.