Zero trust has long been the logical successor to the moat/castle perimeter security model, which hasn’t worked very well to protect enterprises from cyber attacks and is becoming increasingly outdated as employees become more mobile and applications migrate to the cloud.
But adoption of the zero trust model, created by former Forrester analyst John Kindervag more than a decade ago, has been slow due in part to aversion to change and concerns that replacing perimeter security with something new would be risky, complex, and costly.
That all changed when the pandemic hit, corporate offices emptied out, and millions of workers suddenly found themselves working from home. IT executives rushed to move apps to the cloud to make them more accessible to their remote workforce.
Then they scrambled to secure those edge connections with methodologies that are consistent with the zero trust architecture, such as multi-factor authentication, access controls and secure access service edge (SASE), a cloud-based service that combines connectivity and security.
In effect, companies had “inadvertently” begun their zero trust journey, says Forrester analyst Steve Turner. “We’re seeing a lot of the same clients coming back and saying, ‘Where else can I go with zero trust?’ They realise there are lots of solutions out there that advertise themselves as zero trust. They want to weed through the noise and understand what the next steps look like.”
Following are the five steps that will ensure your zero trust journey stays on track and delivers value to the business.
Step one: Know what zero trust really means
Some of the confusion associated with the term zero trust stems from the use of the word “trust.” As Kindervag, currently senior vice-president of cyber security strategy at managed security services provider ON2IT, puts it, “zero trust is simply the idea that trust is the thing that we need to eliminate.
Trust is a human emotion that has been injected into digital systems for absolutely no reason. Zero trust is a strategic initiative that helps prevent successful data breaches by eliminating trust from your organization. It’s rooted in the principle of never trust, always verify.”
For example, everybody at the company knows John and everyone likes and trusts John. Packets are entering the network from a device that is assigned to John, but how do we know that it’s really John and not a hacker? The zero trust model simply says the assertion that it’s John needs to be checked and verified.
Organisations need to create policies designed to confirm John’s identity, control what resources John can assess, prevent John from taking actions that fall outside of policy, and monitor and log all of John’s activities.
Practically, this means not only moving beyond passwords to multi-factor authentication, but also considering how to verify the device itself, its location and behaviour -- as the next points confirm.
Step 2: Identify what you want to protect
The purpose of zero trust is to protect the business from the financial, regulatory, and reputational consequences of data breaches, so the first step is to figure out what you need to protect.
It could be customer data, employee data, financial data, intellectual property, business process data, data generated by IoT devices, application data, or a service like DNS or Active Directory. “Focus on business outcomes,” says Kindervag. “If you don’t know your business needs, you will fail.”
Once you know what data needs to be protected and have identified where it’s located, zero trust principles take over. This means establishing policies that only allow access on a need-to-know basis and inspecting all traffic to and from protected data.
Having security policies in place that protect against exfiltration of sensitive data is critically important because it prevents hackers from setting up command and control, which effectively blocks many types of attacks, including ransomware exploits.
Kris Burkhardt, CISO at Accenture, says his company has been on a zero trust journey for 20 years, dating back to the company’s decision to put many of its applications in the cloud so they could be more easily accessed by its highly mobile workforce.
Rather than deploy VPNs, which were expensive back then, Accenture allowed employees to connect to the public internet via a simple browser, but deployed endpoint protection, multi-factor authentication, identity and access controls, as well as microsegmentation.
The company treats critical information systems with special care, including extra monitoring, privileged access management, and even requiring two people to perform certain actions, says Burkhardt.
Step 3: Design the network from the inside out
The perimeter security model is based on the idea that there’s an inside (corporate headquarters) where everyone is trusted, and an untrusted outside, which is protected by firewalls and other security tools.
The zero trust model eliminates the distinction between inside and outside and replaces it with network segments that are created for specific purposes. For example, Kindervag suggests that companies might want to start with a single data stream, such as credit card data.
Burkhardt says that microsegmentation is an area where “you can get yourself in trouble if you overcomplicate things,” but he points out that “the tooling is evolving quickly in a good way to make it easier.” The important thing is to have a clear microsegmentation strategy and to execute it correctly, both on-premises and in the cloud.
He says some of the classic segmentation approaches would be creating a microsegment for disaster recovery, separating the data center from office applications, and creating a segment for the DMZ where connections to the internet are managed.
Step 4: Log all traffic
Kindervag says inspecting and logging all traffic is an important element in a zero trust architecture. Real-time analysis of traffic logs can help identify cyber attacks. Kindervag adds that the rich telemetry that is collected can help create a feedback loop that makes the network stronger over time.
Burkhardt says Accenture sends its traffic logs to Splunk for a variety of analytics, including threat hunting queries, identifying whether pre-defined conditions indicative of an attack or someone taking an incorrect action by mistake have occurred, and detecting when there is an attacker present in the environment. Analysis of endpoint logs can track any actions that the attacker may have taken and “help you understand forensically what occurred.”
Step 5: Commit to the long run, but take those first steps
Zero trust is “a continuous journey,” says Burkhardt. Pick one small system to use as a test case and make sure you have all of the controls, logging, and monitoring in place. “There’s no reason to steam through. Get it right small. Then get it right big.”
Kindervag adds, “Focus on protecting the keys to the kingdom, the crown jewels. Do it incrementally and non-destructively.”
At Accenture, even though the company has been operating on zero trust principles before the term was even invented, there is always more work to be done. Burkhardt says a focus these days is the cloud. With application development occurring in the cloud, applications moving to the cloud, and more data than ever being stored in the cloud, Burkhardt is “staying on top of new offerings from cloud providers” aimed at applying zero trust principles.
His recommendation to other CISOs is to understand that the security landscape has changed over the past few years. Think nation-state attacks, SolarWinds, ransomware. The status quo no longer cuts it.
“Teams know the world is changing and they need to change with it. It might be scary but the best thing to do is embrace the change, understand that the perimeter model had its value for many years, but zero trust is far more flexible and it’s the only way you’re going to have success in the public cloud.”