The notion of zero trust in cybersecurity is a misunderstood term, according to Neil MacDonald, VP and distinguished analyst at Gartner. Speaking during the Gartner Security and Risk Virtual Summit, MacDonald noted that extending trust is in fact necessary for organizations to work efficiently.
The main issue is too much “implicit trust” in existing security practices that are based upon using physical location and ownership and control. This does not work well in a modern digital business, in which there are multiple devices used across multiple locations. Instead, “our goal is to replace that implicit trust with continuously assessed explicit trust levels based on risk,” explained MacDonald.
Ultimately, zero trust is moving away from a traditional perimeter based model, where physical locations define trust, to a model in which explicit trust is decided based on various factors, including identity, location, user behavior and sensitivity of the data being handled.
For organizations to apply such an approach successfully, the first focus should be on zero trust networking, according to MacDonald. This is because the TCP/IP network was built at a time when trust could be assumed, but things have changed significantly. “IP addresses are weak identifiers at best and they can easily be spoofed,” he noted. This means authentication needs to take place first before connection is granted rather than afterwards.
Legacy VPNs, which grant access externally, are therefore not fit for purpose and must be phased out. MacDonald commented: “We want to adopt a way of thinking which says the network location doesn’t matter, the network’s always untrusted; always assume it’s compromised, everything needs to be encrypted.”
Then from the moment access is allowed, continuous monitoring of the user’s behavior must take place.
The next aspect is to apply these zero trust principles within organizations’ internal data centers. “The problem is most data center networks are flat – when the bad guy gets in they move unimpeded laterally,” explained MacDonald. “What we need are data centers that are built for a breach.”
In this approach, similarly to how submarines protect themselves against a water leak, a breach should be contained in one area, a method known as identity-based segmentation. This can include removing end-users from the data center network or ring fencing critical applications like the SAP app.
He went on to outline other areas in which this zero trust principle can be applied so organizations can more effectively protect themselves from cyber-criminals, These include the removal of admin rights from end-user systems, implementing default deny on critical servers, encrypting all data on default and implementing multi-factor authentication (MFA) for all administrators.
MacDonald stated that the ongoing shift to the cloud can serve as the catalyst for these types of initiatives to be introduced over time. He added: “You can’t flip a light switch and go to zero trust, but we can pragmatically take these steps.”