Rising above the zero trust noise with Dynamic Need to Know? & Deception

Customers have become numb to zero trust information saturation, making it very difficult to weed out poor capabilities with great marketing and how to select and move forward with a solution confidently. As a result, they have reached a point of paralysis by analysis.

Sadly, because of this frozen state, most customer conversations have become riddled with zero trust jokes or feelings that it can’t be deployed properly at the federal/defense level. In fact, one customer expressed: “Zero trust is like one of those concept cars that never becomes reality.” Considering these misconceptions, we believe it’s important to ask our most skeptical customers the following:

1. What is your definition of a zero trust architecture??This question enables thought leaders to establish a terminology baseline.
2. How are you connecting users to public and private applications? Asking this allows DevSecOps leaders to relay their current architecture and any constraints.
3. How are you architecting towards your zero trust strategy??The answer to this illustrates where DevSecOps leaders are in their zero trust journey.

Unfortunately, one thing to be expected: there’s a different answer to each zero trust question. Armed with the latest zero trust marketing lingo, the tech community swiftly throws out jargon and components but cannot depict where they are in their digital transformation strategy or the necessary requirements to make that transition. Which is why, when asked these same questions months later, they often have a completely different response.?

A Note for the Reader: Zero Trust is a holistic strategy and not a silver bullet.??There isn’t a single company or singular solution that can (or should) provide an end-to-end Zero Trust solution. If a vendor states that they can do it all, run!

NIST SP 800-207, a core reference to DOD’s Zero Trust Reference Architecture (ZTRA), Rose et al, define a “Zero trust architecture (ZTA) [as]?an enterprise cybersecurity architecture?that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement.” NIST’s definition can be interpreted in so many ways, thus opening itself to likely misinterpretation.

One of our favorite zero trust principles is the enforcement of ‘least-privileged access.’ When asked, “What is my top requirement for zero trust network access, my response is ZTNA requires “Dynamic Need to Know?!” Dynamic Need to Know? is Zscaler’s intelligent version of least-privileged access that combines technology and techniques to enable global workforces to achieve effective, automated, agile, and dynamic security control.

By cutting across each zero trust pillar and leveraging the intelligence of each subcomponent, Zscaler can enforce Comply-to-Connect (C2C) to continuously challenge users and endpoints and provide dynamic risk-scoring.?This supporting cast of integrated features and components empower Zscaler’s Dynamic Need to Know? to perform as a Policy Enforcement Point (PEP) and receive enforcement policy from the Policy Decision Point (PDP) effectively to revoke, limit, allow or disallow access based on a combination of the following attributes:

• ?Policies (RBAC, ABAC, PBAC)
• User
• Location
• Device
• Context
• User behavior
• Endpoint behavior

To summarize, Dynamic Need to Know? is a combination of network security systems providing specific access to applications and resources at a specific moment in time. Because Zscaler enforces zero trust access (ZTA) to all applications and data resources, Zscaler inherently provides continuous security posture checks (user and endpoint) and enforces Comply-to-Connect (C2C); ?aligned to Microsoft’s Adaptive Access using Zscaler’s close integration with Azure Active Directory (AD).?Regarding C2C, Zscaler can leverage its open APIs to provide situational awareness using industry standard endpoint systems, namely, CrowdStrike, Varonis, VMware, ForeScout, as well as the endpoint’s OS, just to name a few.?Concurrently, Zscaler can provide adaptive access based on data furnished by the identity provider (IdP), SD-WAN and Cloud Service Providers (CSP).?

Another component of zero trust that we believe is critical to next-gen security is Active Defense (or Deception). Zscaler’s Active Defense tech is analogous to an AI/ML Honeypot, which makes it a paramount addition to modern zero trust strategies. Integrating deception within your datacenter demonstrates that if a user or device connects to a decoy asset, alarms are silently triggered, and that user and/or device automatically loses access to applications and data resources. With Zscaler’s cloud integration of deception technologies, not only is a user’s application access shut down in real-time, but Zscaler also begins to analyze, develop, and gather intelligence when a user connects to any deception decoy… Deception technology is incredibly impressive and we believe will evolve into another ZTNA pillar in the near future.

So, the next time someone asks you about your Zero Trust present and future plans, ask about their version of “Dynamic Need to Know?” and deception technology.?

By: Conrad Maiorino & Brent Irwin

(1) National Institute of Standards and Technology 08/2020 “NIST Special Publication 800-207 Zero Trust Architecture” https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf