The big buzzword in the industry today is “zero-trust security.” It’s getting a lot of ink—but is it real? Is it practical? And for starters, what the heck is it, exactly?
How Enterprises Protect Their Digital Stuff in an Evolving World
Long ago, back in far simpler days, enterprises protected their networks by surrounding them with the digital equivalent of a wall. “Inside the network” and “outside the network” were distinct states. If you were outside, it was difficult to get in. If you were inside, you were trusted, protected, and able to move freely. Now, this is an oversimplification, to be sure—but it serves to illustrate how things have changed.
Walls are a pretty good way to keep people out. The problem is that organizations aren’t little enclaves to be sheltered from the rest of the world. They need to transact with customers to do business, and they need to provide access to partners. This requires opening up doors within the walls, whether they like it or not. Telecommuting became popular, which requires more “openings” so employees can do their jobs from remote locations (i.e., outside the secure enterprise network). And then XaaS took off, moving huge swaths of workloads into public or hybrid clouds. BYOD. IoT. The endless march of technology trends has poked so many holes into the perimeter, it’s more than just porous, it’s like a sieve.
In response, the industry moved to a layered cybersecurity approach: defense-in-depth. The idea here is to implement multiple security controls throughout the IT environment to provide redundancy in the event that any one security control fails or has an exploitable vulnerability. And of course, there have been lots of technology advancements to provide the components for a defense-in-depth strategy. Tools to prevent, to detect, to remediate. Solutions for data in motion, data at rest. Protection for systems, applications, endpoints. Packet analysis, behavior analysis. Authentication, authorization, access control. And on and on.
Attitudes toward “trusted insiders” have also changed. No longer are insiders trusted just because they are insiders. And there are many types of insider threats. There are the truly malicious ones such as a disgruntled employee who seeks to hurt the organization, or one who is coerced through blackmail or similar tactics. Edward Snowden, for example, was a trusted sub-contractor who exploited his access to steal and leak millions of documents. But there are also unintentional insider threats as well—careless employees who are phished or who unwittingly launch malware or who are otherwise manipulated into letting the bad guys right in. If all this sounds incredibly complex and hard to manage, it is. And if it sounds like the old approach doesn’t work in today’s technology climate, you’re not the only one who thinks so.
Enter Zero-Trust Security
The concept of zero-trust security was introduced in 2010 by John Kindervag, who at the time was a Forrester analyst. Here’s how he described it: “Security professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted. Thus, security professionals should do the following, according to Forrester, No More Chewy Centers: The Zero Trust Model of Information Security, updated March 29, 2016:
- verify and secure all resources
- limit and strictly enforce access control
- inspect and log all network traffic
This is a profoundly different way of managing security, which means it’s not something that can be easily adopted overnight. It’s now eight years later. Are enterprises ready to finally make strides toward zero trust? There’s certainly a lot of talk. But what actions are needed, and what tradeoffs must be considered?
Reimagining the Concepts of Perimeter and Access Management
The traditional perimeter—the one big wall and moat outside the castle—no longer exists. Today, perimeters should be as tiny and abundant as possible. Zero-trust requires microsegmentation to protect and restrict access at a highly granular level. A breach of a microperimeter severely limits what a hacker can do from there compared to the relatively free reign they may have in the old model. Zero-trust is also a more identity-centric model. It’s not enough to just have a “key,” so to speak, that lets you in the door. You need to have more granular access control with all access to services requiring multi-factor authentication, identity and access management controls, and explicit and specific permissioning.
The Trick is to Maintain Usability
One of the major challenges of any cybersecurity strategy is to implement an approach that’s both safe and practical. And even though it’s called “zero trust,” there does, of course, have to be some level of trust within the system. Can you imagine having to go through multi-factor authentication to open every single email? Of course not. You wouldn’t be able to do your job. You wouldn’t be able to do anything. The company might as well eliminate email entirely (as tempting as that might sound—and it certainly would up an organization’s security quotient—it’s laughably impractical). So, IT needs a way to efficiently and appropriately understand context—about the user, the device, the data, etc.—to make good decisions that strike the right balance between security and usability. And that means zero-trust security must be baked right into all IT processes, policies, and systems.
Getting to Zero-Trust Security
It all starts with a new attitude. “Trust but verify” must become “trust no one.” But this is not a product you can buy and slap into the environment. It cannot be an overlay onto what exists today—that’s what got us here in the first place. According to Forrester, zero trust will change the way we build networks, and they must be designed from the inside out. It’s not easy, and won’t happen overnight. The larger an organization is, and the more legacy stuff it has, the more complex the journey will be. Is it worth it? Today’s high-risk, high-complexity cyber climate suggests it is.