Understanding how to best to secure enterprises against the radical changes of 2020 has become a priority for most organizations. COVID-19 accelerated business change and created a largely remote workforce, which has in turn created a plethora of new cybersecurity challenges. Scaling existing risk mitigation strategies has been a key focus for businesses as they’ve struggled to protect employees against a threat landscape that is determined to exploit the changing work environment.
Rapid acceleration is rarely good news when security is in the mix. As threat actors waste no time in capitalizing on the strange times we’re living in, perhaps it’s time to start looking again at old remedies to help solve some of these new problems? One such old remedy is zero trust – a concept of “least privilege” that has been around since the 1970s. But while zero trust’s “never trust, always verify” mantra may not hold all the answers to the challenges security teams face today, it can prove to be a useful mindset when re-assessing security needs given the challenging circumstances we find ourselves in.
Principles vs. Practicalities
To begin on this journey, organizations need to first accept the differences between the principles of zero trust and its practicalities in the real world. The three core principles of zero trust state that: all resources are accessed in a secure manner, no matter their location; that this access is on a need-to-know basis and is strictly enforced through the practice of least privilege; and finally, that there is visibility into all traffic by way of logging and inspection.
It's easy to say that these are principles every security leader should already have, that every business already employs. Here's the thing: taken literally, the truth is that zero trust isn't achievable in practice. In many scenarios, abolishing privilege entirely and verifying everything would simply take forever!
Take for example hardware devices and their complex component and software supply chains – it is all but impossible to gain the level of visibility required to verify each and every element. Likewise, always verifying is just as unrealistic given the myriad software applications installed and billions of Internet of Things (IoT) devices out there in the complex IT infrastructures of today.
But rather than writing off zero trust entirely or chasing the impossible dream of universal zero trust, allow the principles to guide you towards reducing your organization’s overall trust surface.
Knowing Your Business
Success lies in making the principles of zero trust work for each organization’s individual needs. This means getting into a frame of mind where business requirements are properly understood by the security team, and where it's appreciated that there must be a balance between risk reduction and business harm.
Each company is different. For example, introducing client-side TLS is good basic security hygiene to achieve mutual authentication, but won’t work for every organization. This practice would cause major issues for an e-commerce vendor, as while pairing client-side authentication with server-side verification reduces the trust surface, it also introduces unnecessary friction between the products and the customer.
Being able to truly understand an organization’s unique aims, security requirements and limitations can help identify areas where the trust surface can be reduced. Using the previous example of e-commerce vendors, this could mean only asking for authentication for a transaction, rather than simply browsing. While the organization can’t afford to “always verify,” it is able to identify areas where it’s possible for zero trust concepts to be applied.
Seven Tenets to Guide You
While this is just one example of applying zero trust in practice, The National Institute of Standards and Technology helpfully published a document last year containing seven basic tenets of zero trust. These can be thought of as a more detailed guide that can help frame your zero trust thinking. For example, tenet one states that “all data sources and computing services are considered resources” – do you have a clear understanding of the different assets in your organization and a means to catalogue of what they are doing in your environment? While the third tenet says “access to individual enterprise resources is granted on a per-session basis” – do you have controls in place to grant secure access only to those who really need it?
It’s well worth taking a look at these tenets, which can be found in NIST special publication 800-207, before embarking on your zero trust journey.
A New Mindset
Accepting that you will never actually get to ‘zero’ should now be a given, but that doesn’t have to undermine the entire concept of zero trust. Zero trust is not, and never will be, an off-the-shelf security solution: it's a state of mind. An architectural, process, policy and cultural state of mind that your organization should introduce and help evolve. And applying this new mindset to bring about a substantial reduction in the trust surface is not time wasted. It’s an investment in better security and more practical risk management, and that can make genuine strides in transforming the security culture of your business.