Ernest Hemingway, the well-known American journalist, novelist and short-story writer, once wrote, “The best way to find out if you can trust somebody is to trust them.”
I enjoyed Hemingway’s The Old Man and the Sea, but I’m pretty sure that his take on trust will not go down well with the general cyber-security community.
Most chief information security officers (CISOs) today agree that trust is a dangerous vulnerability that can be exploited. With a Zero Trust approach, everything is untrusted. There are no notions of trusted networks, trusted devices or trusted people.
The Zero Trust approach of never trusting and always verifying will change how users interact with systems and data. Basically, for every access to data and information, you need to know who your users are, what apps they are accessing, how they are connecting to your apps, and which controls you have in place for securing that access.
So why Zero Trust?
John Kindervag, a former analyst at Forrester Research, coined the term Zero Trust a decade back in describing a security model where anyone and any device attempting to connect to a network asset is treated as untrustworthy. Device and user credentials, rather than network location, are the basis for granting or denying access to network assets. Such an approach prevents an attacker who is already in a network after successfully breaching the perimeter from gaining access to high-value targets.
The practice of implicitly trusting users on internal networks while treating external users as untrusted could soon be obsolete. A number of recent data breaches have happened because conventional security controls, implemented using the classic castle-and-moat approach, were unable to spot malicious activities being carried out by external actors using stolen credentials to move about freely within internal networks.
In fact, the castle-and-moat approach is on its way out because the notion of existing in isolation will not apply to evolve data centres, which have applications hosted on-premises, in hybrid clouds and commercial clouds, and where users are accessing these applications from diverse endpoints and devices from multiple locations — possibly from across the globe.
How to embark on the Zero Trust journey
Many security vendors claim to have Zero Trust solutions today by offering multi-factor authentication and some level of identity and access management, as well as offering to implement micro-segmentation in some parts of the network.
Taking a holistic approach to Zero Trust is not about implementing these technologies individually, but instead meaningfully orchestrating them to enforce the discipline that no access will be granted — to anyone or anything — until they have proven they should be trusted.
CISOs know only too well that the approach is to embrace the strategy and then leverage technology progressively, rather than to throw technology at the strategy — which has never been a wise move because a lot of poorly integrated tools can make networks more brittle.
A key challenge to moving to Zero Trust is to undo the traditional security mind-set and culture of applications, network, security and operations staff, and engineers. Most of them implicitly trust their perimeter-secured environments and tend to believe that next-generation firewalls and network-based intrusion-prevention systems (NIPS) are keeping the bad guys out. A mindset change is required for them to understand that the bad actors are already in their environment.
Getting to Zero Trust will not be an overnight accomplishment, especially in organisations with legacy systems and applications. This would be a multi-phase and multi-year journey involving multiple teams. Perhaps the best time to embark on a Zero Trust journey is when an organisation undergoes a digital transformation program or when it is setting up a greenfield environment.
The journey starts with having visibility into all the current applications, devices, sensitive data and data flows across an enterprise. The next step is having strong identification and authentication controls for both users and devices.
CISOs could work with digital transformation partners to look at developing Zero Trust design blueprints and consider evolving them into cyber-reference architectures that illustrate the deployment and orchestration of the multiple technologies which drive enterprises on the Zero Trust journey. Such an approach should provide the overarching guidance needed as enterprises modernise IT and optimise data architectures across public, private and hybrid clouds.