For nearly a decade, some security analysts and industry watchers have touted the concept of “zero trust” architecture as a new and better way to protect an organization’s network and data. As the perimeter becomes more difficult and costly to defend, enterprises should focus on more innovative ways to defend their infrastructures from threats both external and internal.
The adoption of zero trust architecture, however, has been a slow process, with enterprises resistant to change. The cost of shifting security defense is seen as expensive and time consuming.
Now, with the uncertainty of the COVID-19 pandemic and the transition for many businesses to a work-from-home model for the foreseeable future, many security watchers believe that the time has come for organizations to embrace the notion of zero trust architectures, especially as the perimeter becomes even more porous.
“Our data on adversaries and malicious insiders shows they are becoming increasingly sophisticated in their tactics, techniques, and procedures,” Clay Brothers, principal consultant at incident-response firm Crypsis Group, told Dice. “It is no longer sufficient to focus resources and investment solely at the perimeter of the corporate network. It’s important for organizations to obtain and use the detailed knowledge of its assets, data, users and business processes to incrementally implement zero trust principles, process changes, and technology at the appropriate levels within the environment.”
Another driver that might help open the door to more zero trust adoption is the U.S. National Institute of Standards and Technology, which released its Special Publication SP 800-207 in August. This document lays out the agency’s view of zero trust as well as various components of the architecture and possible ways to deploy it as a defense.
Unlike other NIST publications, however, the agency took a slightly different approach to zero trust, creating a document that is more descriptive than prescriptive in order to let organizations explore the concept without locking IT or security departments into a specific deployment model.
“It [SP 800-207] also presents a general road map for organizations wishing to migrate to a zero trust design approach and discusses relevant federal policies that may impact or influence a zero trust architecture," according to the NIST.
Not to be outdone, the National Cyber Security Center, the U.K.'s national computer emergency response team, has published its own guide to creating a zero trust architecture.
What Does Zero Trust Mean?
Although former Forrester analyst John Kindervag first coined the term “zero trust” a decade ago, there is no one definition of what “zero trust” means, nor is there one proven path to implementing the concept across an enterprise network.
At its most basic, zero trust builds on the concept that there is no longer a perimeter around networks, which means nothing outside or inside can be trusted. This means that devices, applications and employees must be verified every time they attempt to connect to a resource within the network.
Zero trust also implies that the corporate network has already been breached and that the only surefire way to prevent attackers from moving laterally across the network is to remove trust from the equation and verify all connections.
“The architecture assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location,” Brothers said.
This idea of not trusting any device, app or person comes at a time when breaches are increasing and the costs associated with security events can affect the bottom line of any company. In its 2020 Data Breach Investigations Report, Verizon found that, of the 32,000 security incidents it investigated in 2019, 3,950 were confirmed breaches—almost double the amount it found in 2018.
Implementing zero trust, however, can be difficult, time-consuming and expensive except for some of the largest and most sophisticated of enterprises.
Google, for instance, began its own zero trust journey about 10 years ago after nation-state hackers successfully infiltrated the company. Since then, the search engine giant has promoted its BeyondCorp initiative and began offering it as a service to customers starting in April. Its central concept is to cut down on the use of technologies, such as VPNs, to connect to the corporate networks. Instead, it works to create security and risk policies that verify when an employee, device or application needs to access these resources.
While not an easy journey, Fausto Oliveira, principal security architect at security firm Acceptto, notes that zero trust is one way to achieve what Gartner has deemed Continuous Adaptive Risk and Trust Assessment (CARTA), which seeks to eliminate the risks inherent in the digital world.
“The end goal is to have security solutions that adapt and evolve as the threat landscape evolves while relying on immutable identity as the foundation of a comprehensive security and risk management strategy,” Oliveira told Dice. “The only way to find the intersection of CARTA and zero trust is to leverage an immutable identity solution for all internal and external users. In that way you can ensure that pre-, during and post-authorization, only those you want to have access will actually gain that access. One of the most important aspects of identity authentication is that most cybercriminals also adapt to new technologies so something is needed to create an immutable identity that can’t be adapted by cybercriminals.”
Zero Trust and COVID-19
COVID-19 pandemic and the rush to move employees into home offices have accelerated the need to try new approaches to cybersecurity. For many observers, this means zero trust.
“The evolving nature of networks has mandated that we rethink how security issues are compartmentalized. These additions to the scope of Zero Trust are helpful in this evolution,” Thomas Hatch, the CTO and co-founder at software firm SaltStack, told Dice.
“COVID has placed added stress on the distributed nature of access for networks. Many of the systems for this management have been in place for a long time, so the current changes are more of pushing more people onto these platforms,” Hatch said. “This means that we are seeing a refinement around the concepts that were already in place. This addition to zero trust is an excellent example of this. I see a great deal of refinement around these technologies and practices more than revolutionary changes."
Crypsis Group’s Brothers noted that, instead of relying on technologies such as VPNs, the security policy engines that drive zero trust will prevent a compromised or non-compliant account from accessing resources outside its normal access and behavior patterns. This, in turn, decreases manual and error-prone detection controls. There are many ways to achieve this, including weekly or monthly reviews for unapproved software, unpatched operating systems, known vulnerabilities and unusual user behavior.
And at a time when attackers and hackers have a much greater attack surface to look for and exploit vulnerabilities in order to access corporate networks and data, Brothers finds that the time to consider zero trust has come.
“Zero trust architecture provides a viable solution to those organizations that were required to dramatically react in real time to transform operations for the COVID-19 new normal,” Brother said. “Zero trust was designed to respond to the risks of remote users and bring your own device, way before COVID-19 changed the way we live and work. By shifting away from the focus on the network perimeter and physical location of employees as the primary gateway for accessing corporate systems, organizations can more effectively detect and block attacks from inside the network.”