Fail to achieve true Zero Trust by only believing the hype.
Marketing buzzwords within any industry tend to overhype the sector without any substance. In recent years within cyber security, I do not think there has been a more over-hyped buzzword than Zero Trust, although there are some worthy contenders (looking at you, AI/ML). Fortunately, unlike many buzzwords, it is a straightforward security concept to distil what has recently become a powerful marketing engine into what originally was and still is a powerful security engine. It is an engine which can enable organisations by reducing the potential attacker’s ability to move throughout a network and thus successfully achieve their malicious objectives.
Apart from being unable to go a day without seeing the word Zero Trust, you have already seen it at least twice if you have made it this far, the inspiration for this article was one of the predictions following Gartner’s recent Security & Risk Management Summit:
60% of organisations will embrace Zero Trust as a starting point for security by 2025. More than half will fail to realise the benefits.
As a result, I thought it would be helpful to explain what Zero Trust is, the benefits of adopting it and some practical steps to begin the journey. As a result, I hope organisations are enabled with the right information to embrace this mindset and realise its benefits.
The Past
Historically, security models followed a castle and moat architecture. The enterprise network and data centre were inside the castle whilst firewalls guarding the perimeter. Anything outside the wall was untrusted, whilst anything inside was trusted and allowed access. However, this concept of trust based on physical location begins to have limitations when users are mobile and external third parties require access. As a result, an excess level of implicit trust is in networks with this design. Attackers can and do abuse this; if attackers stole user credentials, they could gain access to the enterprise network; especially where VPNs extend enterprise networks to users & a result these potential attackers.
领英推荐
The Present
Enter stage left, Zero Trust. As previously alluded to, this is a term widely exploited in security vendor marketing. However, deep below the outrageous sales pitches, is the foundation of a useful framework for an approach where implicit trust is removed from a network. Zero Trust suggests that trust levels should be explicitly and continuously checked and adapted to grant the minimal level of access, for the minimum amount of time to the minimum number of resources.
For those in cyber, this paranoid concept of trusting no one is perhaps an unnervingly simple transition. However, when we look to senior management and those who do not have a native tendency of paranoia, Zero Trust can seem, from the outset, to have negative organisational and business consequences. Therefore, an important aspect to understand when organisations begin to look at Zero Trust, is that whilst it is a security mindset, it is also by its very nature an organisational vision. In order to realise the benefits of Zero Trust, there needs to be a cultural shift and clear communications which tie to business outcomes. I find it easier sometimes, at whatever stage of a cybersecurity project, to come back to business outcomes as a useful anchor in the sea that is security requirements, solutions, vendors, etc. As we look to the future, it is useful to understand the cultural shifts & business outcomes as a potential underlying core hurdle to achieving the benefits of zero trust effectively.
The Future
I would recommend that organisations looking to implement Zero Trust, start with network-related security projects. The reason for the ‘network-related’ part is due to the fundamental logic underpinning network connectivity. Network connectivity was created when the trust was and could be assumed (i.e. castle & moat architecture). Its purpose was to connect, not to authenticate. Whilst network addresses are weak identifiers at best, Zero Trust networking initiatives use identity as the foundation of the new perimeter.
One way that this can be addressed is by using Zero Trust principles for network access. By granting appropriate access based on the identity of humans and devices, in combination with other contexts such as time, geolocation, device posture etc. we can create a more secure and resilient environment which has improved flexibility and better monitoring for users both in and out of the office. This can replace or augment VPN by allowing users minimal access to what they need and minimising VPN infrastructure overload by shifting to cloud-based “ZTNA” offerings….
Segregation is another effective (network-based) starting block to limit attackers' lateral movement in a network. By introducing identity-based segregation i.e. using dynamic rules that assess workload and app identity as part of determining allowed network communications, we can reduce levels of implicit trust. Essentially, this shifts individual workloads to default-deny rather than simplicity allow. Once these key pillars of Zero Trust have been achieved, then it would be sensible to look to other projects around extending a Zero Trust mindset across technology infrastructure. It is important here to repeat, that Zero Trust is a mindset rather than a solution. There are solutions which lend themselves to Zero trust well, and those which don’t. But there is no silver bullet solution to all this… sadly.
I hope this article has enabled you (if you have made it this far) with the information & understanding of Zero Trust (at a basic level), its benefits, and the potential hurdles to success. I hope I have portrayed Zero Trust and wider cybersecurity, as enablers of the recent rapid digital transformation. To achieve any security project, whether it is implementing Zero trust approaches to operations or very well any project, it is important to communicate with the business & tie together what business outcomes underlie the purpose for carrying out the project.