Guido Vrola - Fotolia

Zero trust: Taking back control of IT security

Trust on the network is a crucial factor in security risk, and zero trust changes the traditional model of ‘trust but verify’

This article can also be found in the Premium Editorial Download: Computer Weekly: Trust no one – the benefits of zero-trust security

In recent years, the elimination – or at least reduction – of trust on the network has been critical for businesses to defend against the multiplying security threats that have emerged in modern computing.

As Fieldfisher LLP partner James Walsh and technology lawyer Rob Grannells note, mobile computing, remote working and the prevalence of software as a service (SaaS) has meant traditional perimeter-based security is easily penetrated. The pair believe trust should be considered a security risk, and additional authentication strategies need to be implemented to ensure each source of data or device has an appropriate level of security.

Zero trust was a term coined by analyst firm Forrester in 2010 to describe the need to cope with ever more complex IT security requirements that put increasing strain on perimeter-based security measures. Forrester is now seeing growing interest in zero trust. Its recent report, How to implement zero trust security in Europe, by analysts Paul McKay, Chase Cunningham and Enza Lannopollo, reported that 54% of European enterprise infrastructure decision-makers are actively using public cloud – an increase of 19% since 2016.

Who do you trust?

For Walsh and Grannells, zero-trust default security means that nothing is trusted outside or inside an organisation’s network, so controls must be put in place to reduce risk to an acceptable level. In other words, defence in depth.

They say: “Zero trust changes the traditional model of ‘trust, but verify’ – where you assume that any device or asset attached to your internal network is likely to be permitted and safe to access internal-only resources, but still verify that this is the case. Instead, that becomes ‘never trust, always verify’ – where every device must pass authentication and security policy checks to access any corporate resources, and to control access only to the extent required.”

Trust involves an interplay between people and technology. According to Walsh and Grannells, the starting point for these trust factors is a well-thought-out and up-to-date set of policies, standards, procedures and work practices, supplemented by detailed, up-to-date network documentation and asset inventories covering information, software licences and hardware.

The pair believe zero trust enables IT security to regain control. “The shift to zero trust is where information security is taking back control of the many new perimeters of the corporate ecosystem,” they say. “It shifts security from the address and location layer to a data-centric model. Zero-trust network segmentation also provides visibility into traffic, and allows you to understand the ‘who, what, when, where, why and how’, which are important for managing access, security, monitoring and compliance.”

Read more about zero trust

According to Forrester report authors McKay, Cunningham and Lannopollo, non-security executives think zero trust is just a network security architecture. Forrester’s research found that network security decision-makers have driven zero trust adoption in Europe so far, with little discussion above chief information security officer (CISO) level. The analysts note: “This could be a result of the high proportion – 42% – of senior-most enterprise security decision-makers reporting into the CIO in Europe.” But they warn that if CISOs do not elevate zero trust, their implementation efforts will not achieve their business and security goals.

Looking at the technical implementation of a zero-trust security stance, in January this year, the Zero trust progress report for Pulse Secure found that most investments in zero-trust access technologies are directed towards multifactor authentication (59%), identity management and governance (48%), and single sign-on (44%). This is followed by network access control and web application firewall (43%), privileged access management and micro-segmentation (41%), and virtual private networks (VPNs) (35%).

BCS volunteer Petra Wenham urges CISOs to start with traffic incoming to a network from an external source (such as the internet or a partner network). She says this typically would initially be controlled at the perimeter by a combination of firewalls architected with demilitarised zones (DMZ) supporting proxies, reverse proxies and terminating equipment that offer email, VPN and client access termination from external networks and web browsing of the internet from the internal network.

These proxy and terminating devices would typically run anti-virus, malware and spam prevention technologies and, where needed, provide access authentication and authorisation (AAA) services (proxied from an internal AAA system). Application-level firewalling (such as HTML or SQL) might also feature in the services offered on the DMZ.

According to Wenham, a new generation of security devices are now coming to market that integrate some or all of these features and so can, in turn, offer network managers a unified view of their operation. “The design of the internal network can then add further controls, such as network segregation and additional anti-virus and malware detection technologies, together with AAA controls over system and file access,” she says.

For instance, in network segregation, Wenham says the recommended practice is that key servers and services (such as network-attached storage and storage area networks), company and guest Wi-Fis, are given their own networks and larger organisations can give thought to putting some departments (such as human resources, finance and R&D) on their own networks.

“All these networks would then be connected together via firewall technology, which could be discreet firewalls, or utilise the firewall capabilities found in enterprise-level Ethernet switches, or be connected to an enterprise-level, multi-ported firewall, or a mix of all three approaches,” she says.

Elements of a zero-trust architecture

Zero trust typically combines these control elements to manage the device, user and trust level for anyone wanting access to corporate resources:

• Unified endpoint management: The ability to enforce and monitor the compliance of all endpoint devices, whether corporate owned, BYOD (bring your own device) or contractor provided. This means you know your device estate and specific security threats, such as a device operating system going out of date.

• Single sign-on: One sign-on point, passing fully validated credentials from system to system. A single version of the user ID truth and a single point of entry that validates a user’s credentials, and logs access in and out of corporate systems, is important for an easy user experience in a zero-trust environment.

• Multifactor authentication: A trusted device, a hardware security key, a biometric measure, behavioural analysis, location data, time-based restrictions, and so on, can all be combined to make a “profile” of multiple factors to establish a user’s credentials. When every user must be validated, relying on a single factor is no longer an option.

Source: James Walsh and Rob Grannells, Fieldfisher LLP

Forrester has found that one of the concerns about the adoption of zero trust is the cost of implementing the model. The analyst firm has developed a core zero-trust model that it says emphasises gradual evolution towards the zero-trust principles by starting with identity and other foundational security controls and reducing the attack surface using your existing control footprint.

Forrester analysts McKay, Cunningham and Lannopollo urge CISOs to follow a gradual approach to deploying zero trust across their organisations by starting with their existing security systems. “As you master those areas, you can then invest in new areas, like enhancing the range of security monitoring use cases to gain greater visibility and automate manual security tasks and increase your zero-trust maturity,” they say. “If you can demonstrate that zero trust is not yet another excuse to buy lots of shiny new security widgets, you’ll gain further trust in the boardroom.”

In fact, the Zero trust progress report found that a quarter of organisations are augmenting their current secure access infrastructure with software-defined perimeter technology, which effectively provides zero-trust network access.

Read more on IT strategy