In a US court of law, the accused are deemed to be innocent until proven guilty. In a Zero Trust security model, the opposite is true. Everything and everyone must be considered suspect—questioned, investigated, and cross-checked—until we can be absolutely sure it is safe to be allowed.
Zero Trust is a concept created by John Kindervag in 2010 during his time as Vice President and Principal Analyst for Forrester Research. When looking at failures inside organizations to stop cyberattacks, especially lateral movements of threats inside their networks, Kindervag realized that the traditional security model operated on the outdated assumption that everything inside an organization’s network could be trusted. Instead, Zero Trust inverts that model, directing IT teams according to the guiding principle of "never trust, always verify" and redefining the perimeter to include users and data inside the network.
Over the last 10 years, more and more businesses have moved toward the Zero Trust model, demolishing the old castle-and-moat mentality and accepting the reality of insider threats. We take an inside look at Zero Trust, including its strengths and weaknesses, to help organizations evaluate whether they should embrace the philosophy within their own walls or consider different methods.
Definition of Zero Trust
Zero Trust is an information security framework that states organizations should not trust any entity inside or outside of their network perimeter at any time. It provides the visibility and IT controls needed to secure, manage, and monitor every device, user, app, and network belonging to or being used by the organization and its employees and contractors to access business data.
The goal of a Zero Trust configuration should be clear: restrict access to sensitive data, applications, and devices on a need-to-know basis. Employees in finance need accounting software—all others should be barred. Remote workers should use VPNs—access from the open Internet should be prohibited. Data sharing should be limited and controlled. The free flow of information that was once one of the cornerstones of the Internet needs to be confined in order to protect networks from penetration, customers from privacy violations, and organizations from attacks on infrastructure and operations.
The strategy around Zero Trust boils down to scrutinizing any incoming or outgoing traffic. But the difference between this and other security models is that even internal traffic, meaning traffic that doesn’t cross the perimeter of the organization, must be treated as a potential danger as well.
While this might seem severe, consider the changes in the threat landscape over the last 10 years: the hundreds of public data leaks and breaches; ransomware attacks that halted operations on thousands of endpoints in cities, schools, and healthcare organizations; or millions of users' personally identifiable information stolen from business databases. As cybercriminals continue to turn their focus to business targets in 2020, Zero Trust seems like a smart approach to thwart increasing numbers of attacks.
Implementing Zero Trust
Implementing a Zero Trust security model in an organization is not simply a change in mindset. It will require a clear view of functions within the company's departments, currently-deployed software, access levels, and devices, and what each of those requirements will look like in the future.
Often, building a Zero Trust network from the ground up is easier than reorganizing an existing network into Zero Trust because the existing network will need to remain functional throughout the transition period. In both scenarios, IT and security teams should come up with an agreed-upon strategy that includes the ideal final infrastructure and a step-by-step strategy on how to get there.
For example, when setting up resource and data centers, organizations may have to start almost from scratch, especially if legacy systems are incompatible with the Zero Trust framework—and they often are. But even if companies don’t have to start from scratch, they may still need to reorganize specific functions within their security policy, such as how they deploy software or onboard employees, or which storage methods they use.
Strengths of Zero Trust
Building Zero Trust into the foundation of an organization's infrastructure can strengthen many of the pillars upon which IT and security are built. Whether it's in bolstering identification and access policies or segmenting data, by adding some simple barriers to entry and allowing access on an as-needed basis, Zero Trust can help organizations strengthen their security posture and limit their attack surface.
Here are four pillars of Zero Trust that we believe organizations should embrace:
- Strong user identification and access policies
- Segmentation of data and resources
- Strong data security in storage and transfer
- Security orchestration
User identification and access
Using a secure combination of factors in multi-factor authentication (MFA) should provide teams with sufficient insight into who is making a request, and a well thought-out policy structure should confirm which resources they can access based on that identification.
Many organizations gate access to data and applications by opting for identity-as-a-service (IDaaS) cloud platforms using single sign-on services. In a Zero Trust model, that access is further protected by verifying who is requesting access, the context of the request, and the risk of the access environment before granting entry. In some cases, that means limiting functionality of resources. In others, it might be adding another layer of authentication or session timeouts.
Robust access policies will not make sense without proper segmentation of data and resources, though. Creating one big pool of data where everyone that passes the entrance test can jump in and grab whatever they want does not protect sensitive data from being shared, nor does it stop insiders from misusing security tools or other resources.
By splitting segments of an organization's network into compartments, Zero Trust protects critical intellectual property from unauthorized users, reduces the attack surface by keeping vulnerable systems well guarded, and prevents lateral movement of threats through the network. Segmentation can also help limit the consequences of insider threats, including those that might result in physical danger to employees.
Even with restricting access to data and reducing the attack surface through segmentation, organizations are open to breaches, data leaks, and interception of data if they do not secure their data in storage and in transit. End-to-end encryption, hashed data, automated backups, and securing leaky buckets are ways organizations can adopt Zero Trust into their data security plan.
Finally, drawing a thread through all of these pillars is the importance of security orchestration. Even without a security management system, organizations using Zero Trust would need to ensure that security solutions work well together and cover all the possible attack vectors. Overlap is not a problem by itself, but it can be tricky to find the right settings to maximize efficiency and minimize conflicts.
Challenges of the Zero Trust strategy
Zero Trust is billed as a comprehensive approach to securing access across networks, applications, and environments from users, end-user devices, APIs, IoT, micro-services, containers, and more. While aiming to protect the workforce, workloads, and workplace, Zero Trust does encounter some challenges. These include:
- More and different kinds of users (in office and remote)
- More and different kinds of devices (mobile, IoT, biotech)
- More and different kinds of applications (CMSes, intranet, design platforms)
- More ways to access and store data (drive, cloud, edge)
In the not-too-distant past, it was commonplace for the vast majority of the workforce to spend the entirety of their working hours at their place of employment. Not true today, where, according to Forbes, at least 50 percent of the US population engage in some form of remote work. That means accessing data from home IPs, routers, or public Wi-Fi, unless using a VPN service.
But users are not necessarily limited to a workforce. Customers sometimes need to access an organization's resources, depending on the industry. Consider customers that want to select orders for their next delivery, check on inventory, participate in demos or trials, and of course access a company's website. Suppliers and third-party service companies may need access to other parts of an organization's infrastructure to check on operations, safety, and progress.
All of these instances point to a wide variation in user base and a larger number of access points to cover. Coming up with specific policies for each of these groups and individuals can be time-consuming, and maintaining the constant influx of new employees and customers will add considerable workload for whomever manages this task moving forward.
In this era of BYOD policies and IoT equipment, plus the "always on" mentality that sometimes strikes for remote employees, organizations must allow for a great variation in devices used for work, as well as the operating systems that come with them. Each of these devices have their own properties, requirements, and communication protocols, which will need to be tracked and secured under the Zero Trust model. Once again, this requires a bit more work upfront but likely yields positive results.
Another challenging factor to take into account when adopting a Zero Trust strategy is the number of applications in use across the organization for people and teams to collaborate and communicate. The most versatile of these apps are cloud-based and can be used across multiple platforms. This versatility can, however, be a complicating factor when deciding what you want to allow and what not.
Are the apps shared with third-party services, agencies, or vendors? Are the communication platforms outward-facing, and not just for employees? Is this application necessary only for a particular department, such as finance, design, or programming? All of these questions must be asked and answered before blindly adopting a stack of 60 applications for the entire workforce.
One reason why the old security policies are growing out of favor is that there's no one, fixed location that needs to be protected any longer. Organizations can't just protect endpoints or corporate networks. More and more resources, data, and even applications are stored in cloud-based environments, meaning they can be accessed from anywhere and may rely on server farms in various global locations.
This is further complicated by the potential shift to edge computing, which will require IT teams to switch from a centralized, top-down infrastructure to a decentralized trust model. As we have seen in our series about leaky cloud resources (AWS buckets and elastic servers), the configuration of data infrastructure in cloud services and beyond will need to be flawless if businesses don’t want it to end up as the weakest link in their Zero Trust strategy.
To trust or not to trust
Overhauling to a Zero Trust security framework isn't easily accomplished, but it's one we feel strengthen's an organization's overall security posture and awareness. IT teams looking to convince executives of the old guard might look for prime opportunities, then, to make their argument. For example, if there's already a planned move to cloud-based resources, that's a good time to suggest also adopting Zero Trust.
Changes in the threat landscape, including recent vulnerabilities in VPNs and Citrix, plus ransomware being delivered through Remote Desktop Protocol (RDP), might encourage more organizations to investigate a Zero Trust solution, if only for identity and access management. These organizations will have to allow for a transition period and be prepared for some major changes.
A proper Zero Trust framework that doesn’t automatically allow traffic inside the perimeter will certainly hinder the lateral threat movement that hackers use to tighten their grip on a breached network. Top business-focused threats such as Emotet and TrickBot would be hindered from spreading, as they'd be unable to work their way from server to server in a segmented network. Since the point of infiltration is usually not the target location of an attacker, setting up internal perimeters can also limit the severity of a successful attack.
Add to these layers strong data security hygiene and intelligent orchestration that provides wide coverage across threat types, operating systems, and platforms, and businesses have a security framework that'd be pretty tough to beat today. In our eyes, that makes Zero Trust a hero.