Trust Issues: Adopting a Zero Trust Framework
Adopting a zero-trust infrastructure has become a priority for many cybersecurity leaders as their businesses rapidly expand their data use
Rapid digitalization, the widespread move to a ‘work from home’ environment and the continued deployment of cloud computing has expanded networks and highlighted the importance of robust internal security postures.
The zero-trust architecture model was first created in 2010. But it has moved into the mainstream recently, partly due to rapid increases in the amount of vital business data held in enterprise systems and the increased sophistication of cyber attackers.
As a concept, zero trust pushes back against the idea that anything inside of the corporate firewall is safe. Instead, it treats every request as if it came from an open network.
“We should not be letting anonymous people or systems in [to our networks], information should not be left in a native machine[1]readable format and networks should not be traversable by unvalidated entities,” states Steve Jump, Director and CEO at cybersecurity consultancy Custodiet Advisory Services. “None of this is new. Zero trust just puts a spotlight on those principles.”
However, zero-trust architecture is not a cybersecurity panacea. Its key technologies – including but not limited to multifactor authentication, identity and access management and next-generation endpoint security – require continuous monitoring and validation to be effective.
Laying the Foundations for Zero Trust
While there are many commercially available zero trust solutions on the market, it is possible for cybersecurity executives to implement aspects of zero trust using their existing technology stack.
“A fundamental tenant of zero trust is network micro-segmentation,” explains Voya Financial SVP Global Chief Information Security Officer Raj Badhwar. “That you could do, depending on how complex your network is, without a specific tool.”
To achieve this, a cybersecurity leader might break up their company’s network into multiple segments. Then, if a user in a given segment is breached, the attacker can’t move laterally across the network.
From there, a company can control access to network segments using personas. Each employee persona is granted the minimum network privilege required for them to do their job.
“If [you have] a contractor, then maybe they should only get access to outlook exchange, the timesheets system and two other systems that they’re working on,” Badhwar says. “That’s it.”
Of course, cybersecurity experts should be cautious. Implementing zero-trust architectures is complex, time consuming and requires that detailed logs and entries in configuration management databases are kept up to date. “[Zero trust] will increase the complexity of implementation and maintenance,” warns Badhwar. “Debugging becomes difficult because of segmentation, and end-to-end encryption means that all traffic is also encrypted, so that creates support problems.”
Zero Trust or Minimum Trust?
While few cybersecurity executives would argue about the importance of the principle of least privilege or the need to regularly refresh their registries of active users, zero trust can prompt a mixed response.
For some, this is a reaction to the overuse of the term in aggressive marketing campaigns. Others feel that the nomenclature of zero trust is too absolute, despite its sound principles.
“If you have zero trust, no business gets done.” says Bank of America Merrill Lynch SVP Business Information Security Officer David Monahan. “So, it’s really about minimum trust.”
“But with that in mind, it comes back to principles,” he concludes. “What level of access do you need to do your business? We should make sure you have that access and no more. Security is here to facilitate business in a secure manner, not to stop business from happening.”
To determine what ‘minimum trust’ might mean in practice, CISOs may choose to conduct a thorough audit of roles and responsibilities in their organizations to determine appropriate levels of network access.
A report from consulting firm Deloitte recommends internal auditing to identify vulnerabilities and bolster the third line of defense against cyber-attacks.
As companies continue to digitize and apply more cloud-based applications and services we are likely to see a greater emphasis on the principles that underpin zero trust. However, leading CISOs also know that a focus on zero trust should not undermine cybersecurity’s role as a business enabler.
This is an extract from the exclusive report The 2021 Information Security Agenda. The report highlights how COVID-19 has rapidly shifted priorities for Chief Information Security Officers (CISOs), requiring them to implement new strategies, technologies and educational programs in a time of heightened risk. Click here to get your copy.
