I’ve spent the last few months chatting with all manner of information security professionals in developing my next agenda. Over the next few weeks, I’ll be dig a little into some of the topics and themes brought up during this research period, and share some uninitiated yet sanguine opinions.
We read daily about massive data breaches, each one worse than the last. Increasing in scale and notoriety amongst the public, there is the potential to cause irreparable damage, and not just the company’s reputation. As CISOs and their trusted associates grind out a new security strategy, a Zero Trust approach might suit them to a T… or not.
Let us investigate the options, loosely:
Zero Trust: A Definition…
The Zero Trust framework was first coined back in 2010 and since then has garnered popularity with certain sectors (depending on who you get your consulting from).
Zero Trust, much like The X-Files, says trust no one. Any user, any device, at any time, need to have credentials verified, whether they access resources outside or within the network, regardless of firewall.
By its definition, all IT will be tightly controlled, segmented into highly restricted zones, monitoring every bit of data exchanged. How Zero Trust is architected needs to be approach with care. In an era of cloud, DevOps and IoT deployment, these new processes and technology implemented significantly blur the lines of traditional departments, teams and responsibilities.
Why follow a Zero Trust Framework?
For far too long, focus on information security has primarily been at the perimeter, building stoic seemingly impenetrable firewalls for them to prove as effective as the The Wall against Wildlings, only to crumble at the sight of White Walkers. The Zero Trust model works far beyond this, segmenting each component of the network like a bouncer-lined red carpet.
I believe these to be the basic tenets of Zero Trust:
- Eliminate all trust. No user, application or device should be trusted, ever!
- Remove any and all privileges. Users should only receive the minimum amount of access necessary
- Keep policies update, even automated, readily available for testing and review
- Segment, then segment again! The smaller the perimeters, the better. Like a web, if you will.
- Don’t always authenticate users the same way. All users are required to follow multi-factor authentication; you do it with your banking app (sometimes)?
- And it’s not just people. Validate every new device, and constantly monitor all devices.
- Monitor and analyse everything in real time. Every scrap of information needs to be collected, managed and evaluated in nanoseconds.
- Educate, educate, educate! People need to know why the policies are in place.
As the name implies, there really is no sugar-coating access parameters. Zero Trust provides a very efficient and controlled environment that can respond rapidly to any breaches.
But Zero Trust can also be… complicated…
As much as Zero Trust can be seen as a cure-all for all marauding enemies inside and outside our environment, it can become very tricky to manage.
As mentioned before, we live in an interconnected age of millions of devices and applications that constantly talk to one another. We live in an age of remote yet increasingly collaborative work, a time where perimeters have melded into something very far from linear.
Delegating tasks or access across these micro-segmented zones can be tricky – does every manager take on the role of admin or can a competency test be done in that instant: “yes, that file transfer software is legit.” Does this add time, or make things simpler for the user? How is it monitored and evaluated constantly? If automated, how are these parameters defined in order to sustain the cultural shift to a more incorporated, yet highly individualised, working environment?
What do you think?
I’ve spoken to a number of people about this very topic, but would like to get your take. Is Zero Trust yet another trendy catchphrase that amounts to little more than a philosophy with divergent views? Or can it be practically incorporated in small clusters? The big question really is; can it be done effectively at scale?
Personally, and very much from an outsider’s perspective, I tend to follow the law of Fox Mulder in that you should trust no one. It’s far too easy to fall victim to deception, human or not; with its ramifications are often quite dire. Then again, I glanced through Machiavelli’s The Prince a few times in post-grad and always preferred to be loved by my subjects, so I would rather sit on the fence with this one and get your opinion. Yes, there are comments below.
Remember to join us at CISO Africa 2020 for the pre-conference Identity & Access Management Focus Day, a really must attend for any information security professionals contemplating zero trust, access and authentication trends.
Ryan J. Matthews