Serg Nvns - Fotolia

Zero-trust security model gaining traction

The zero-trust model of security is finally gaining traction as security professionals tap into new tools and executive buy-in to support this approach in an effort to improve security posture and practices

Traditional approaches to security are failing because enterprises continue to be breached despite spending billions of dollars a year on security technologies, says Torsten George, product evangelist at security software firm Centrify.

This means we need to do something different, he told Computer Weekly, with 66% of organisations admitting they are still getting breached an average of five times a year as the attack surface continues to expand with increased enterprise use of cloud services and employee-owned devices.

In addition, George said the enterprise is now facing threats introduced by internet-connected devices. “Let’s not forget that the massive data breach at US retailer Target in 2013 started with compromising a smart climate control system that enabled the attackers to move laterally within the Target network, which was one of the first IoT [internet of things] breaches,” he said.

A post-mortem analysis of the majority of breaches, however, reveals that identity is the top attack vector, with 81% of breaches being linked to weak, default or stolen passwords, which George said indicates that identity is an area organisations need to focus on.

“But currently, not much of the security budgets are being spent on protecting identity, despite it taking just one compromised credential to impact millions of data records and people, underlining that organisations can no longer rely on endpoint security and firewalls, but need to start implementing identity-centric security measures,” he said.

This is where zero-trust security comes into play, said George, because it assumes that untrusted actors exist both inside and outside the corporate network and every user access request has to be authorised.

“Therefore, organisations have to remove trust from the equation, because if someone is camouflaging their attack behind a legitimate identity like a database administrator, even if the targeted data is encrypted, the attacker will still be able to access and decrypt it,” he said.

Against this background, George said the zero-trust approach – which was first outlined by Forrester Research and the US National Institute of Standards and Technology (Nist) – has been gaining traction, with Google using it as the basis of its BeyondCorp initiative.

“As a result, Google claims that they have not been hit by any credential-based attacks since implementing the approach of never trust, always verify,” he said.

According to George, verifying users is the first of four pillars of zero-trust security. The others are: validating devices, limiting access of privileged users wherever possible, and then applying machine learning to all these factors to step up the authentication processes wherever necessary. 

“Machine learning enables organisations to apply access controls dynamically based on behaviour, time and other factors without requiring manual intervention by an administrator when circumstances change, such as connecting to the corporate network from a new location,” said George.

When it comes to verifying the user, there are three key elements, said George. First is identity consolidation, which involves tying access back to Active Directory identities to improve accountability by eliminating the risky practice of sharing root passwords.

“This should be supplemented by using single sign-on, where users are not exposing their username and password for each application, but are using instead a one-time password that is time limited, so even if it is compromised, it cannot be used on an ongoing basis.”

Second, is the use of de-facto authentication everywhere, including privileged users and for accessing internal resources such as network devices and servers. “Anything that involves sensitive data and risk should use de-facto authentication, where there is a high degree of certainty that the user actually is who they claim to be,” said George.

The third key element of user verification, he said, is monitoring user behaviour and taking factors such as time and location into account. “If someone typically works between 6am and 7pm, but suddenly logs in at midnight, that should be flagged as abnormal behaviour and trigger additional authentication,” said George.

Partly thanks to improvements in technology capabilities, George said the move to zero-trust security has gained momentum in the past year.

“A study by IDG shows that 71% of security-focused IT decision makers are not just aware of the zero-trust security model, but are actively pursuing that. Meanwhile, 10% are currently doing pilots and about 8% who have implemented it fully.”

In addition, George said a study by Forrester and Centrify shows that by applying best practices in line with zero-trust priciples, organisations recorded 50% fewer breaches within just two months.

“In addition to cost savings due to gains in incident response efficiencies and technology consolidation, the organisations also reported 67% greater confidence in supporting users on mobile devices and rolling out new partner and customer experiences because they felt they could ensure that participants were secure,” he said.

DevOps environments are increasingly being targeted by attackers, said George. “In this context, the study showed a 44% gain in confidence through applying zero-trust principles, and so overall it really is quite successful,” he said.

However, despite a growing number of organisations buying into the concept, George said some are being held back by the mistaken belief that it takes a lot of time and effort and that everything has to be done at the same time.

“In reality, implementing a zero-trust security model is a step-by-step process, with the first step typically being around identity assurance by consolidating identities and applying more de-facto authentication, before moving further to moving lateral movement by doing things like applying conditional access and enforcing the principle of least privilege,” he said.

Once all these things are in place, George said organisations can then move on to auditing everything, analysing the risk, monitoring user sessions and integrating with the security information and event management (Siem) systems.

“But it does not have to be done all at once. It can be done step by step, and we have lost of customers that are doing exactly that, with some starting with securing their laptop environments, before moving to servers and cloud.”

Studies show, said George, that there has been a shift towards understanding that security has to start with locking down identity. “But it has taken time, and now suddenly we are finally seeing zero-trust gain traction and gain favour with the c-suite as an effective way to address security challenges.

George is to discuss these topics in more detail in a session entitled: How zero trust is creating a game-changing security experience at the Cybersecurity Leadership Summit 2018 Europe in Berlin from 12 to 14 November.

Read more about zero-trust security approach

Read more on Hackers and cybercrime prevention