Never trust, always verify: implementing a zero-trust strategy for your organization
What is zero-trust?
It might actually be easier to start with what it isn't, truth be told. All too often vendors will try and convince you that they can sell you a zero-trust product; they cannot. Zero-trust is a strategic model, a policy and not a product. It does, of course, use solutions in order to enforce that policy but it is essential that you understand that what your organization is implementing is a strategy with technology that supports it and not technology supported by your strategic policies. Get that wrong and, believe me I've seen plenty who have, you end up with an expensive and ineffective mess.
Next we come to the rather more confusing matter of zero-trust not really being a case of trusting nothing. Sure, there is an underlying strategic assumption that everything (systems, users, devices, machines, communications) is hostile until proven otherwise. Yet any zero-trust policy has to rely upon you being able to confidently authorize, validate and verify everything and everyone. You are, in effect, banishing trust as a ‘by default’ concept and demanding it be earned first. This is easier to get your head around if you think in terms of flipping the past its sell by date concept of 'trusted inside the perimeter' on its head. The dynamically evolving threat landscape, as evidenced by ongoing breaches that we see reported in the media on an almost daily basis, demands the perimeter is pushed out to encompass every endpoint, every user.
Think of all your assets as being external and internet facing and it becomes clear that all will require appropriate levels of security scanning before they can be considered trustworthy. The real beauty of this strategy is, as you have no inherent trust in anything, security controls can be focused where they are actually required. This saves your business time, money and improves your security posture; and that's the zero-trust win-win in a nutshell.
How zero-trust strengthens your security posture
Once again, I feel compelled to start with something that it cannot do and it’s a truism that should shape your expectations before embarking on your strategic journey: zero-trust cannot protect your business from all attacks, cannot prevent every breach scenario. However, what it can do is strengthen your security posture and make those attacks much less likely to succeed. As long as you are consistent and disciplined in your application of policy, then you will be ensuring that every new network device or user passes the trustworthy test before they can be allowed access. That inherently reduces the risk of breach in the first place and reduces the risk of any successful breach going undetected. Think about it logically, if you are validating every device, verifying every user and enforcing granular access permissions in order to determine the who, what and how of data access then you start to win the battle against threat actors both inside and out of your perimeter. This isn’t all about preventing attacks per se, but rather containing the damage that any attacker can do. Never trust, always verify (and keep adding context) is the best weapon you have against the kind of lateral movement that threat actors have exploited so profitably in breach after breach after breach. An attack starting point is rarely the end goal, and hackers will move swiftly throughout a network to seek the data, spread the malware or compromise the credentials they desire. Zero-trust truly enables an access strategy of least-privilege to be the norm, and the bad guys hate that. The good guys love that it’s helping turn security into a business enabler rather than something all too often seen by the c-suite as a necessary evil that holds the business back.
So, how do you best implement a zero-trust strategy?
There is a common misconception that zero-trust is both costly and complex to implement effectively across an organization. Whereas this was, indeed, the case in the past it is becoming much easier, and cheaper, as more infrastructure is moving into the cloud for many businesses. This overcomes the how to retrofit security within budget but without diluting effectiveness problem of old; the move to the cloud is almost like starting your IT infrastructure from scratch and this can be taken advantage of for your zero-trust strategy implementation. The cloud has also been a primary driver of user mobility, another factor that is forcing the hand of business when it comes to legacy network security strategies. Not that adopting a zero-trust approach is impossible within the constraints of a legacy architecture, far from it, but it is more complex and therefore more time consuming and costly to deploy. Taking the opportunity to think of zero-trust as part and parcel of a move to become a more agile and transformational business is the sensible approach.
I mentioned earlier that zero-trust is a strategic thing and not a product, but that doesn’t mean you don’t need products to enforce your new policy. Everything from identity and access management through cloud security brokering and security information and event management solutions will play their part in your successful deployment. Every deployment will, of course, be different and that means the solutions that best suit your business will likely not be the same as the organization across the block. What will remain constant across all zero-trust implementations are three core concepts, however:
You can’t protect what you cannot see, and a zero-trust strategy demands visibility into business assets from the perspective of what data you have and how sensitive it is, who (and what) uses that data and when along with where the potential security risk sits. Visibility needs to be end-to-end, across the entire network, and ideally viewed from a single pane of glass perspective. Without such visibility you cannot effectively operate in a whitelist, trusted only, mode: visibility brings knowledge of what is plugged into the network (devices and users alike) and confidence in contextualizing that activity.
Because the operational demands of the business will constantly change, a zero-trust strategy demands a dynamic approach to policy configuration. This alone makes the process something that is best handled automatically rather than manually, otherwise time pressures will inevitably lead to errors and negate the whole point of zero-trust in the first place. An automatic, intelligence-led, solution can effectively produce a meaningful risk analysis of every new device, application and traffic flow in order to only trust those where no potential issues (in terms of security vulnerability or compliance violation) are identified.
This is where point one and two merge, because without visibility and automation you are unlikely to successfully enforce the kind of ‘micro-perimeter’ segmentation, where the access controls are as close to the protected assets as you can get them, given that this will change when application requirements change for example.
Get these core concepts delivered and the zero-trust model can make significant ground in transforming how your organization manages security, reduces the risk of data breach while at the same time aligns with your operational business needs ultimately saves you money. If that’s not a win-win, then I have zero-trust in your ability to understand what is…
About the author:
Davey Winder is a veteran security journalist with three decades under his belt. The only three-time winner of the BT Security Journalist of the Year award, he was presented with the Enigma Award for a 'lifetime contribution to IT security journalism' in 2011. Currently contributing to Digital Health, Forbes, Infosecurity, PC Pro, SC Magazine and The Times (via Raconteur Special Reports) you can catch up with all his latest writings at www.happygeek.com