What is Zero Trust?
Dr. Allen Harper
Cyber Mentor and Executive Advisor || 35+ years experience || Lead author of Gray Hat Hacking books || EVP Cybersecurity at T-Rex || Mentoring thousands into cyber and Entrepreneurs starting businesses
How is this new model changing cybersecurity?
I am going to discuss the topic of zero trust and how it is reshaping the cybersecurity field.
This “trend” is not that new, but gained popularity in the last couple of years. It represents a paradigm shift and we will discuss why and how that will impact the field.
This topic is important, because cybersecurity is expensive and each year it gets more expensive. In this article, I will explain a bold claim:
Zero Trust has the Potential to Finally Bend the Cost Curve of Cybersecurity?—?Dr Allen Harper
Most people are unaware of the zero trust “trend” and will thereby not take advantage of it. My goal is to equip you with the information you need, to think about developing your own zero trust strategy, for your organization.
Here is what you will get out of this article:
Background of Zero?Trust
I believe that zero trust is the fifth generation of cybersecurity.
Why does cybersecurity need to keep evolving and why, until now, have we not been able to keep the adversary out? The problem has to do with zero days, which are previously unknown vulnerabilities, that allow attackers to reach into networks, with impunity. The second factor is that the majority of our cybersecurity solutions are signature based, and by definition zero days can’t be detected by a signature based solution. These two factors give the attacker the advantage, where they spend less and we keep spending more, but that may be about to change.
The zero trust concept is not new, it has been discussed in one form or another, since:
So, you can see, the concept is not new, but what has changed is the focus and priority. You see “in 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches.”[11].
This breach was the proverbial straw that broke the camels back. From this point onward, the U.S. Government has pursuing a Zero Trust Strategy, and the rest of the world is following.
Pillars of Zero?Trust
The U.S. Department of Homeland Security (DHS), Computer and Infrastructure Security Agency (CISA) released a Zero Trust Maturity Model [12]. It has the following pillars and foundational capabilities.
source: DHS CISA Zero Trust Maturity Model, 2.0 [12]
The core pillars of Zero Trust are shown:
The cross cutting foundation of each pillar is:
The idea with zero trust is to restrict access to sensitive data, to an authorized user, on an authorized device, in an authorized segment of the network, using authorized applications, to access a particular set of data…and most importantly, to block all else. Further, leveraging the foundational elements of zero trust, if anything changes during this connection, the risk may be reassessed and revalidated at each pillar. We will come back to the impact of this later.
Zero Trust?Pillars
Now, lets take a look at each pillar in depth.
Identity
Identity is the key pillar of zero trust: without it, none of the other pillars will work. The premise of identity is to obtain an attribute or set of attributes that uniquely identify a user, or entity, to include non-person entities (ie. service accounts).
The identity pillar includes:
Device
The device pillar, concerns every device a user may use, from personal, to corporate, to mobile, to virtual. This also includes other types of devices, from printers, to IoT, to networking equipment, etc. The key is to recognize that the user will move from device to device, often, within minutes, and the risk management system should be able to account for those changes and make real time decisions for policy enforcement.
The device pillar involves:
Network
The Network pillar involves the communication channels used by users and devices, including cloud, internal, wireless, and Internet. A key aspect of zero trust is the shift from a focus on the perimeter, to an understanding that there is often no perimeter, in a modern, cloud, and mobile user environment. Other way to think about this, is the perimeter extends to where ever the user is.
The Network pillar includes:
Applications and Workloads
Applications and workloads are the interface between users and data. This includes both computer programs, and services that execute on-premise, in cloud, and mobile environments.
This pillar covers all aspects of the application lifecycle and DevSecOps processes and includes:
Data
The last pillar of Zero Trust is for Data, which includes all structured and unstructured files and fragments, no matter the location, and associated metadata.
The idea is to inventory, protect, and securely remove data, when appropriate. This includes:
Zero Trust Maturity?Model
The DHS CISA Zero Trust Maturity Model provides a maturity model, that has 4 levels:
Each tenant (pillar) of zero trust may be assessed against this maturity model
source: DHS CISA Zero Trust Maturity Model, 2.0 [12]
The idea is to determine the capability maturity of the organization, then work iteratively to improve it, over time.
Zero Trust?Strategy
Benefits of adopting a zero trust strategy and architecture include:
This is done by clearly defining a set of controls at each pillar and foundational element and then designing a set of policies to enforce at each policy enforcement point (PEP). In this manner, we shift from the paradigm of traditional cybersecurity, which is built on the premise of defining “known bad” and leveraging those “signatures” throughout multiple layers of the security architecture. The problem with “signature based” approach, of which 95% of todays security architecture is built on, is that attackers continue to evolve and by definition, a zero day threat, has no signature.
Instead, zero trust, flips the model, by focusing on known good, and rejecting all else. We have always known that this “white” list approach is better than the “black” list approach, but until now, it has not been feasible to pull off. To be clear, we are not fully there, with all of the technology pieces in place, but we are well into being able to realize a full stack zero trust architecture in the next couple of years. Most government agencies and many companies are heading that way, you may want to “skate where the puck is heading” and get there yourself.
Practical steps of implementing a zero trust strategy include:
Cost Implications
As previously mentioned, the cost to implement and maintain cybersecurity is significant and seemingly exponentially increasing, year after year. The reason for this is the zero day and signature based problem, we have discussed.
By implementing zero trust, which is fundamentally, not signature based, but instead defines known good, at a micro service and segmentation basis, there is the potential to dramatically reduce the cost of cybersecurity services.
Now, depending on the ability to reuse existing technology in place, there may be an investment required up front, to transform the security architecture to one of zero trust; however, after that initial investment, there should be a measurable reduction in cost going forward.
By implementing zero trust completely at a high level of capability maturity, we may finally stop expending more resources, than the attacker and may increase their cost curve while decreasing our cost curve.
TL;DR
In this article, we have discussed zero trust:
If you enjoyed the content in this article, subscribe to my Newsletter , for more content like it. Also, join my free mentoring group, at www.allenharper.com .
If you enjoyed this, ?? recycle it, for others.
P.S. Let me know what other topics you want me to explain.
Citations