We CISOs are getting hit constantly with Zero Trust marketing and initiative pushes both externally and internally. There is certainly value in the strategy, especially as Google laid out in their BeyondCorp initiative and initial implementation in 2009. But I see that as more of a step along an evolutionary path and not the final destination. Now that our physical, and even many virtual perimeters have completely vanished, Zero Trust has pointed us to the right way of thinking. But we can be even smarter about it – maybe we don’t have to go all the way to Zero for every transaction.
My journey through this crazy [cyber] world we live in started way back to the 1990s when the public Internet was born. Attackers were also born (almost as a twin) and brought with them viruses and malware. Internet Service Providers (ISP) were the ones initially dealing with it on their own until cybersecurity vendors jumped in the game. As email spam and phishing joined the party, ISPs had to evolve their methods, from simple policy adjustments to monitoring, forensics, then countermeasures. Cybersecurity really exploded in the 2000s as the Internet expanded across the globe, and homes and businesses all went “online”. Cyber threats multiplied and diversified, including the introduction of zero-days, multi-vector attacks, and the dreaded DDOS (Distributed Denial of Service). Next, we got attacker infrastructures, allowing teenagers and kids to pile on through dark web subscriptions. Then servers, appliances, and even smart devices got sucked into attack bot infrastructures, often taking advantage of known third-party vulnerabilities and leading to breaches at some very large public companies.
Cybersecurity professionals and vendors continued to shift tactics through all of that mess, ultimately taking a very strong position on “Detect, Respond and Recover”. The volumes of attacks required tools to be smarter about sifting through signals to narrow down the plethora of security alerts and events produced in the SIEM or SOC. Fortunately, for the better part of that history, we were able to concentrate efforts on a perimeter, with trusted employees on the inside and everyone else as untrusted on the outside. We were able to concentrate our efforts on choke points in the networks and communication pathways, and it mostly worked. More recently, mobile, BYOD, work from anywhere, cloud apps, etc., etc. have pushed us off the traditional perimeter as a useful concept (and we adapted), but it just got a lot worse…
Enter 2020, a global pandemic, quarantines, forced closures, and the time to shift again, because now ALL of your employees work from home. Now that our users have scattered across the globe, but still have the need for fast access to their data, applications, and other corporate systems to sustain productivity. And while productivity is top of mind for them, CISOs still live and die on the ability to assure the security of our critical assets, and it’s a challenge. As cybersecurity professionals, we are learning to think of the users themselves as the new perimeter.
We now have this new pivot in front of us and Zero Trust is the most promising strategy – many have already begun their journey down that path (while stumbling over their own complex infrastructures, networks, processes, legacy systems, and applications). The concept is more than a decade old, but for most cybersecurity professionals, the journey is just beginning. Unfortunately, Zero Trust is not a solution or category, but rather a strategy and a mindset, requiring us to either build or acquire and assemble the pieces that make sense for each business. Like any other architecture frameworks or designs, zero trust is not an easy fix or step; it takes major changes to the architecture, budget, time, and resources, and requires foundational security measures are in place, things like:
- Defining a comprehensive asset inventory, with critical applications, data and users defined, data classifications, etc.
- Identity & Access Management governance model, based on role-based identity access for users and groups. Zero Trust requires a central identity authority.
- Segmentation of critical users, data, and applications
- Secure Development Life Cycle (SDLC) for applications
- Security visibility through behavior analytics, monitoring, threat detection
- Human security – understanding critical users, applications, and access, with continuous monitoring, advanced AI and behaviors and measures to remediate (without human interaction)
I know, CISOs constantly hear that we need foundational security measures in place. In reality, these are simply security controls defined by the various frameworks that a company might use (NIST CSF, NIST 800-53, ISO 2700X, CIS Top 20). The Zero Trust model is built on one theory – the ability to deliver access to data and applications to authenticated and authorized (trusted) users and devices, no matter where your users or devices are located, all through accelerated trust decisions based on user behavior, actions, prior activity, etc. This model is supposed to help streamline security, compliance, and other everyday challenges that a CISO might face. If I were presented with this idea, I might think very hard about it. The needs of my users are extremely varied, as are their behaviors, from a productivity and a security perspective – creative types with their own computers (BYOD), traveling employees, silos within the company circumventing security policy. Understanding the risk contribution from these users is incredibly important, and I would argue that unintentional insiders are a bigger worry than malicious ones.
If I sit down and think about some of the benefits from Zero Trust, with most of the necessary foundational measures in place, this is what I come up with:
- Enhanced visibility of the network and the ability for early identification and detection of attacks, certainly early breach detection, and possibly prevention.
- Prevent attackers (insiders) from advancing in east-west network traffic and stop/slow down the progress of malware, especially Ransomware.
- Increase my security posture, and introduce elevated enhancements of sensitive data handling, including the ability to prevent unauthorized data exposures, disclosures, and exfiltration
- Seamless authentication through Single Sign-On (SSO), 2-Factor (2FA), Multi-Factor (MFA), and in some cases biometric; in order to reduce the many vulnerabilities and security headaches found in traditional access technology (e.g. VPN, which is often exploited)
- Hopefully improved employee experience all around, security is no longer the hurdle in the organization and productivity is the same or increased due to these new measures.
That last one is my biggest concern. Does the Zero Trust approach appropriately accommodate the huge disparity of behaviors and risk among my users? Do I need to start with the assumption of ZERO Trust for everyone and impose the rigors of that method universally, or are there ways to differentiate and apply a more nuanced approach that acknowledges these differences, ideally better supporting a highly productive workforce, but without sacrificing essential security measures?
Zero Trust security, when used for this seamless access solution, has a foundational context – always verifying and authenticating everything and everyone – trust no one. However, there should be a way to profile users and meaningfully predict their risk profile so that I don’t have to start all the way at zero. Choosing the right solutions that bring you the technology and AI and behavior analytics will be necessary so that only trusted “objects” (people, applications, etc.) gain access to your data and applications. What if there was a company that is already addressing workforce risk, by analyzing all of the components that paint a complete picture of the user, things like:
- Historical and trending data showing user behavior through email and web gateway logs, endpoint logs, and knowing their access levels.
- The user’s attackability factor and likelihood that a user might be the target of an attack, give more opportunities to mistakenly trigger Ransomware or expose sensitive data.
- Built-in variables for access levels, or the need for additional security controls around users with higher-level access versus those without.
If users are truly the new perimeter, as the Zero Trust concept implies, the workforce and the risk presented by each user IS the most important factor. Organizations need to adjust their strategies to incorporate more proactive and predictive (forecasting) measures to address workforce risk, in order to help inform zero-trust validation and authentication decisions.
Check out Elevate Security to understand how we are addressing workforce risk, through helping companies directly, and partnering with Identity Access/Zero Trust Security firms, in making your access challenges much smarter and easier.