SoS Musings #48 - Ready to Embrace Zero Trust Security?
SoS Musings #48 -
Ready to Embrace Zero Trust Security?
Zero Trust has become more important than ever as digital transformation efforts accelerate, the attack surface expands, and conventional perimeter-based security approaches continue to fail. Zero Trust is an Information Technology security model that is based on the principle in which strict access controls are maintained, and nobody is trusted by default, including those already within the network perimeter. Traditional security architectures focus on protecting an organization's perimeter, while the Zero Trust approach acknowledges that threats exist both inside and outside network boundaries. Zero Trust architectures have also become more critical in increasingly remote environments made necessary by the COVID-19 pandemic. A survey conducted by Enterprise Management Associates and Pulse Secure found that 60 percent of organizations accelerated their Zero Trust projects during the pandemic. John Kindervag created the Zero Trust Network, or Zero Trust Architecture, model during his tenure as vice president and principal analyst at Forrester Research in 2010. Organizations are encouraged to adopt the Zero Trust approach to mitigate the risk of cyberattacks in the modernized environments in which they operate. However, the complexity and implementation of this security model require strategic planning and time to reap the full benefits of the model.
There is no one specific technology or device that can help an organization achieve Zero Trust. Implementing effective Zero Trust in an organization calls for the utilization of a mix of different technologies and strategies such as micro-segmentation, Multi-Factor Authentication (MFA), Identity and Access Management (IAM), and Privileged Access Management (PAM). The practice of micro-segmentation refers to the splitting of security perimeters into small zones to maintain separate access for different parts of the network. In this practice, tightly-focused security policies strengthen the Zero Trust approach by moving an organization's security to grant users access only to the applications and data they need based on their role and identity instead of just identifying IP addresses. Micro-segmentation puts the focus of security on the individual user. For example, a person with access to one secure zone will not be able to access another zone without being granted separate authorization to access that zone. MFA, also referred to as two-factor authentication (2FA), is recommended for Zero Trust environments as it adds an extra layer of security by requiring two or more factors to achieve authentication. These factors include something you know (e.g., password or personal identification number (PIN)), something you have (e.g., token), or something you are (e.g., biometric like a fingerprint). IAM is a business discipline that involves the use of products, processes, and policies to manage user identities and access in an organization. IAM systems perform identification, authentication, and authorization to ensure that only the right individuals can perform specific activities and have access to the right resources, including computers, hardware, software apps, and other enterprise resources. PAM refers to a set of solutions aimed at securing, controlling, managing, and monitoring the accounts of users who have privileged access to critical assets. IAM differs from PAM in that it focuses on authenticating and authorizing users of all types in an organization, while PAM specifically focuses on privileged users, administrators, and others with elevated privileges. Governance policy such as the Principle of Least Privilege (PoLP) is another component emphasized in Zero Trust that refers to giving users minimum levels of access or permissions needed to perform their job functions. In addition to human access, PoLP can be applied to applications, systems, or connected devices that require privileges or permissions to carry out required tasks. Organizations are encouraged to further explore the different technologies and principles that can help accomplish Zero Trust within an enterprise.
There are challenges associated with the Zero Trust model that organizations must consider when trying to implement it. Though the security model offers organizations significant advantages, it is not perfect. For organizations to make Zero Trust cybersecurity as effective as possible, they need to understand the model's built-in risk factors. Moving from one cybersecurity strategy to another is not quick or easy, especially for large organizations or businesses in which legacy security systems are still in use. Dennis Turpitka, CEO of the software development company Apriorit, wrote an article highlighting the top three challenges of the Zero Trust strategy, which include the creation of gaps when taking a piecemeal approach to implementing the model, the need for commitment to ongoing administration to maintain Zero Trust cybersecurity, and the potential impact of this security strategy on productivity. The customization of strategies using a piecemeal approach could lead to the creation of gaps that can decrease the strength of Zero Trust implementation. Unexpected security failures may also occur as a result of undoing a legacy solution. The need for ongoing administration when transitioning to and maintaining Zero Trust cybersecurity is another obstacle that organizations often overlook. Zero Trust models operate based on a broad network of strictly defined permissions, but it is important to remember that organizations are constantly changing in regard to employees' roles and locations. The practice of Zero Trust requires access controls to be updated each time an employee is given a new role or changes location to ensure that only the right people can access specific information, applications, hardware, and other resources. Therefore, ongoing support must be in place to ensure that permissions remain accurate and up-to-date. If controls are not updated immediately when an employee moves into a new role or changes location, the Zero Trust model is weakened as there is a window of time for the employee to be able to access information or resources not permissible to them. Introducing a Zero Trust cybersecurity approach could also impact employee productivity. Another core challenge of this model is to restrict access to sensitive data without impeding workflows. If employees change positions and are unable to access the files and applications they need to perform work activities, their productivity can fall, potentially making productivity loss a bigger issue than cybersecurity. Other challenges associated with the Zero Trust strategy highlighted by Malwarebytes Labs include the increase in remote users, growth of Bring-Your-Own-Device (BYOD) policies, use of Internet of Things (IoT) devices, number of different applications used across an organization, and the increased storage of data in cloud-based environments. Organizations must learn to overcome these challenges to see the benefits of the Zero Trust approach.
Guidance on the implementation of the Zero Trust model is available for organizations. The National Security Agency (NSA) issued cybersecurity guidance covering the Zero Trust security model in February 2021. The guidance, titled "Embracing a Zero Trust Security Model," provides insight into how the deployment of Zero Trust security principles can help cybersecurity professionals improve the security of enterprise networks and sensitive data. To provide further understanding of Zero Trust, NSA's guidance goes over its definition, benefits, examples, and potential challenges, along with recommendations for implementing the model within networks. NSA's guidance includes examples of how the implementation of Zero Trust principles could have thwarted some of the methods used in the SolarWinds hacking campaign that compromised at least nine federal agencies and 100 companies. The agency has emphasized that the attackers' focus on circumventing detection in this incident indicates that the use of evasion tactics will continue to grow in the future, making Zero Trust increasingly important. When using a Zero Trust approach, devices themselves would be validated in addition to passwords, so if an attacker enters a stolen password, but the device is unknown, the device will fail authentication and authorization checks. This process would result in an attacker being denied access and the logging of their malicious activity. NSA also urges organizations to use strong MFA when implementing Zero Trust. The agency calls for the adoption of a Zero Trust security model for all critical networks within National Security Systems, the Department of Defense's critical networks, and Defense Industrial Base critical networks and systems. The National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-207, "Zero Trust Architecture," that delves into the core logical components that make up this specific architecture. In addition to the logical components of Zero Trust architecture, this document discusses deployment scenarios, use cases, and necessary steps for migrating to a Zero Trust Architecture. Organizations are encouraged to review such guidance to implement the Zero Trust model into their networks as effectively as possible.
As the frequency and sophistication of cyber threats facing distributed and complex networks continue to grow, organizations should consider embracing the Zero Trust security model. The successful adoption of this model will position cybersecurity professionals to better defend sensitive data, systems, and services against cyber threats.