What A Zero Trust Approach To Cybersecurity Is And What It Takes To Implement
Monty Python and the Holy Grail. Game of Thrones. The siege of Troy. Most people probably have a mental image of a thick-walled, highly fortified castle surrounded by a moat that protects the inhabitants within. Outside it, enemies known and unknown plan their attack. When someone approaches the drawbridge, the heavily armed guards block his path: “Halt! Who goes there?” If the person provides the proper credentials, he is allowed in and trusted to roam about the castle grounds at will. But what if the stranger is a spy with forged papers, intent on stealing vital battle secrets? Or if a wily intruder swims the moat, and unseen, scales an unprotected wall? Or if a disaffected inhabitant turns against their fellow castle dwellers and betrays them to the enemy? Or if a gift left outside the castle walls (say a huge wooden horse) is brought inside and then disgorges scores of enemy soldiers? We all know how these stories end: Mayhem and chaos! Looting and pillaging! Death and destruction! Those thick walls and guarded gates could not keep out or prevent the wide variety of threats that lurked both outside and inside their perimeter.
And so it is with what is referred to as legacy cyber security systems. This mindset focuses resources on beefing up the enterprise’s perimeter with barriers—firewalls—that control traffic coming in and out of a network to keep systems within it safe, and it relies on the policy of “trust but verify,” where users, once authorized and verified, are allowed to move laterally around the network with little resistance. This has proven to be no match for ever more sophisticated cyberattacks and data breaches, where hackers penetrate an enterprise in a variety of ways and then escalate their own privileges until they have gained access to crucial systems. Increasingly complex networks that include cloud, remote, and mobile environments as well as new technologies and IoT devices means that it’s no longer possible to have a perimeter that protects everything. And without an easily identified perimeter, there is no way to set up a secure, firewall-based boundary.
But those in the cybersecurity world are nothing if not nimble. Security experts have learned from breaches and attacks and have been working for a while on an approach to counter these threats and adjust to a perimeter-less system. It’s called zero trust and is based on the “Never trust, always verify” model. And now zero trust has become a core tenant of President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity. This EO aims to push federal agencies to adopt a zero-trust cybersecurity strategy and calls for them to develop plans to migrate to a zero trust architecture.
But what is zero trust?
Zero trust is actually pretty straight forward. According to NIST Special Publication 800-207, Zero Trust Architecture, the goal for zero trust is “to prevent unauthorized access to data and services” and to make “access control enforcement as granular as possible,” meaning it grants only the minimum privileges that authorized users need to perform their tasks.
The zero trust security model assumes two things:
- An attacker has gained access to an organization’s environment—either from the inside or outside of the network—so security controls need to be in place to prevent them from moving laterally around the compromised system. Authorized users and machines may be verified and granted access to one resource, but they must be verified again before they can be granted access to a different resource. This limits an attacker’s or machine’s ability to move laterally inside a network by continually authenticating and authorizing the identity and security of each request for access.
- There is no barrier, so security is designed without counting on firewalls or other barrier protections. The continuous scrutiny of those inside the network has replaced the need for it.
Microsoft’s 2021 Zero Trust Adoption report reveals just how vital security decision-makers view zero trust in their approach. The report found that 96 percent of responding decision-makers said zero trust is critical to their firm’s success. “90 percent of the security decision-makers we surveyed are familiar with Zero Trust and 76 percent are in the process of implementation—an increase from the last year of 20 percent and 6 percent, respectively,” the report concluded.
So recognizing that it is critical to adopt the zero trust approach and actually doing it are two very different things, and the Cybersecurity and Infrastructure Security Agency (CISA) states as much in its draft Zero Trust Maturity Model: “More fundamentally, zero trust may require a change in an organization’s philosophy and culture around cybersecurity. The path to zero trust is a journey that will take years to implement.”
But just because it will take years to implement doesn’t mean organizations should not begin to take the first steps. NIST 800-207 says that many organizations already follow several key zero trust policies, especially organizations that have implemented aspects of the NIST Risk Management Framework and NIST Privacy Framework. NIST 800-207 also says that most enterprises will operate on a hybrid zero-trust/perimeter-based strategy while they invest in updating their IT systems.
The Microsoft report bears this out; 52 percent of the respondents say they are ahead of where they expected to be in adopting zero trust, and 73 percent said they expected their budget toward achieving zero trust to increase.
The CISA Zero Trust Maturity Model identifies the following five key pillars as the foundation of zero trust. CISA recommends that organizations work toward implementing aspects of all of them as they transition toward eventually achieving a zero trust environment.
- Identify: who is requesting access and how are they verified?
- Devices: which devices are allowed network access, how are they verified and what do they have access to?
- Network/Environment: how should the network be segmented and how should data flow across the network segments?
- Application Workload: how are firm-owned systems, clouds, programs, etc., secured?
- Data: how is data best protected?