When do you call it Zero Trust?

In the face of evolving cybersecurity threats and the growing complexity of modern computing environments (Veldhoven & Vanthienen, 2021), organisations are increasingly recognising the limitations of traditional network-based security approaches. Otherwise known as the Castle Moat model (A. Frincke & Bishop, 2004), this paradigm assumes that anything within the network perimeter can be trusted, while external entities are inherently untrusted.

Zero Trust is a new prevailing cyber security paradigm starkly contrasting to the castle moat. No implicit trust is granted once an identity is authorised. Instead, constant monitoring and verification are ongoing (Buck et al., 2021).

Determining the cyber security paradigm in which an organisation operates is crucial for the following reasons.

1) Establishes the security principles and assumptions that underpin an organisation's approach to protecting its digital assets and infrastructure.

2) Delineates the specific security controls, policies, and architectural patterns that the organisation adopts.

3) Provides a reference architecture and framework for evaluating the effectiveness of the organisation's cybersecurity posture and practices.

Articulating the criteria for determining whether an organisation is operating with a zero-trust mindset is a complex endeavour, as it encompasses a range of technical, operational, and organisational factors because no authoritative body certifies an organisation to be "Zero-Trust." The same is true for the "Castle-Moat" paradigm. However, the Castle Moat paradigm is much simpler to conceptualise. (Zero Trust Core Principles, 2021)

How does an organisation reconcile the principle of "Assume Breach" and its impact on its critical cyber incident response practice?

Zero Trust attributes several core principles (Khan, 2023)(Kindervag et al., 2010):

1) Eliminate Implicit Trust in any entity, whether user, device, or application. This principle emphasises the importance of multi-factor authentication (MFA) and continuous monitoring to validate the trustworthiness of entities attempting to access resources.

2) Assume breach. This principle assumes that the network is already compromised and that security mechanisms must be designed to withstand and mitigate the impact of a breach. This involves segmenting networks, deploying micro-segmentation, and maintaining detailed logging and monitoring to detect and respond to potential threats. The goal is to contain breaches and minimise their impact.

3) Adopt a "Least Privilege" model for granting resource access. Limit user and device access to only the resources necessary for their tasks, reducing the attack surface by enforcing the principle of least privilege. Role-based access control (RBAC) and just-in-time (JIT) access are critical implementations of this principle, ensuring that permissions are granted only when needed and only for the duration of the task (EDO et al., 2022)

The core principles of Zero Trust are easy to comprehend, but putting them into practice can be a significant challenge for many organisations. This shift in mindset and operational practices represents a fundamental transformation in how organisations approach cybersecurity. For example, how does an organisation reconcile the principle of "Assume Breach" and its impact on its critical cyber incident response practice?

Moreover, when will you enact your incident response plan if the organisation operates under the assumption of breach? I will not answer this question because it remains unresolved for me.

How do we determine if an organisation operates within a zero-trust cybersecurity paradigm? Several key indicators should be examined:

1) The organisation has eliminated the concept of a trusted internal network.

2) Access to resources is granted on a per-request basis, regardless of the user's location or device.

3) Strong authentication and authorisation are required for all access requests, including multi-factor authentication.

4) Data and applications are protected at all times, not just at the network perimeter

5) Security policies are consistently enforced across all users, devices, and applications, regardless of their location.

The transition to a zero-trust architecture is complex and multi-faceted, as it requires changes in technology and organisational culture, processes, and skills. However, this approach benefits from improved security, reduced attack surface, and better alignment with modern computing environments, making it an increasingly attractive option for organisations seeking to enhance their cyber resilience.

References

1. Buck, C., Olenberger, C., Schweizer, A., V?lter, F., & Eymann, T. (2021, November 1). Never trust, always verify: A multivocal literature review on current knowledge and research gaps of zero-trust. Elsevier BV, 110, 102436-102436. https://doi.org/10.1016/j.cose.2021.102436
2. EDO, O C., Tenebe, T., Etu, E., Ayuwu, A., Emakhu, J., & Adebiyi, S. (2022, July 4). Zero Trust Architecture: Trend and Impact on Information Security. , 12(7), 140-147. https://doi.org/10.46338/ijetae0722_15
3. Frincke, D A., & Bishop, M. (2004, May 1). Guarding the castle keep: teaching with the fortress metaphor. Institute of Electrical and Electronics Engineers, 2(3), 69-72. https://ieeexplore.ieee.org/document/1306975/
4. Khan, M J. (2023, September 30). Zero trust architecture: Redefining network security paradigms in the digital age. GSC Online Press, 19(3), 105-116. https://doi.org/10.30574/wjarr.2023.19.3.1785
5. Kindervag, J., Balaouras, S., & Coit, L. (2010, September 14). No More Chewy Centers: Introducing The Zero Trust Model Of Information Security
6. Veldhoven, Z V., & Vanthienen, J. (2021, March 10). Digital transformation as an interaction-driven perspective between business, society, and technology. Springer Science+Business Media, 32(2), 629-644. https://doi.org/10.1007/s12525-021-00464-5
7. Zero Trust Core Principles. (2021, January 1). https://pubs.opengroup.org/security/zero-trust-principles/