deepagopi2011 - Fotolia

Zero-trust security not an off-the-shelf product

The zero-trust security model is a business enabler that needs to be supported by a strategy and security architecture, analyst warns cyber security leaders

Many security suppliers are releasing products that are claimed to be based on the zero-trust security model, says Paul Simmonds, fellow analyst at KuppingerCole. “But ensure you select products with care,” he told the KuppingerCole Cyber Security Leadership Summit in Berlin.

Simmonds warned security leaders to be wary of suppliers’ claims and check whether they are just jumping on the “buzzword bandwagon” and re-badging old products.

To be able to discriminate between products, security leaders need to understand what zero trust is and what it is not, he said.

First, zero trust is an architectural state of mind, said Simmonds. “This is about security architecture done correctly, rather than what has happened historically, where security products have been bolted on,” he said.

“You can’t do that any more. Zero trust is where there is no difference between the internet and the Intranet.”

Zero trust is a “business enabler” because, done correctly, it enables businesses to be faster more quickly and more securely because it is a combination of processes and technologies, he said. “Security is improved because it effectively blocks lateral movement within organisations.”

It is widely recognised that complexity is the enemy of security because it encourages end-users and business leaders to bypass security, said Simmonds.

“The zero-trust model once again improves security by reducing complexity, and if you get it right, it works for everyone, including business partners, by providing a unified experience with greater flexibility and productivity,” he said.

On the other hand, zero trust is not about trusting no one, said Simmonds, it is not a “next-generation perimeter” and it is not “VPN modernisation”.

“It is not an off-the-shelf product,” he said. “You can’t go out and buy it. You have to architect it. Above all, it is about architecting for the future.”

Read more about the zero-trust security approach

It is also not an IT-only project, said Simmonds, because the business has to be involved continually. It is not a one-off project and it is not about eliminating the intranet.

The need to implement a zero-trust model is underlined by the fact that current and future IT infrastructure looks very different from what it did in the past, he said.

With the advent of mobile working and cloud services, more is required than the “sticking plasters” currently on offer by the security technology industry to make complex, heterogeneous IT environments work for the business, said Simmonds.

“That’s where we are today,” he said. “And guess what? The bad guys are taking us for a ride. Tomorrow’s business is going to look very much like today’s with the addition of things like 5G and IPV6, but we are going to think about it differently by implementing the zero-trust model.”

To enable this, organisations need a strategy because “rip and replace” will not work as most businesses will not be able to afford it, said Simmonds.

“Think beyond and focus on business enablers like the reduction of infrastructure complexity, readiness for hybrid cloud, enterprise mobility and compliance,” he added.

Another important element of a zero-trust strategy is to identify key assets that could affect the share price, and where they are, said Simmonds.

“Don’t expect to achieve this goal in one step, and reuse what you can, incorporating existing security, monitoring and orchestration tools.”

Focus on the data

Businesses should focus on the data, said Simmonds. “This includes asset discovery, classification, identifying sensitive data flows, encrypting all sensitive data at rest and in transit, and ensuring you have a data security analytics capability to speed up the time to respond to data breaches.”

Identity is another key component, he said. “You put trust back into the system through user, device and context identity.”

When it comes to networks, said Simmonds, there will be no DMZ (demilitarised zone) or VPN (virtual private network) any more or any “security perimeter” as such.

“It has to be application and user-centric and it has to have authentication and authorisation, but there is more than one way to implement it,” he said.

Options include network micro-segmentation, software-defined perimeters and identity-aware proxies, he said. “It is about architecting what is right for your business and there is lots of stuff out there that you can use to build this.”

But there will always be some legacy IT, said Simmonds. “If you are going to embark on this journey, you need to understand with the business what stays as legacy, what needs protecting, and finding the best ways to do that.”

Access management

Access management is another key element, he said. “It needs to be based on the least privilege principle, centralised, dynamic and adaptive to new authentication methods.”

And, ultimately, zero trust means organisations will have to be able to monitor, detect, audit and adapt, he said. “This isn’t a one-stop shop – buy it, fit it, forget about it. This is about continual adaption and it is a journey.”

As an example of zero trust in action, Simmonds cited the BeyondCorp initiative at Google that shifts access controls to devices and users to enable employees to work more securely from any location without needing a traditional VPN.

“The mission statement is to have every Google employee work successfully from untrusted networks without the use of a VPN – and they have done it,” he said. “They have moved into a zero-trust environment.”

But BeyondCorp is not perfect, said Simmonds. “It is a good story, but the problem remains that it all works only if everyone plays within a particular locus of control – in this case, Google’s. So as long as you have a Google device, inside a Google environment with a Google username, then it will work.”

Best practice advice for organisations is that they need to have a zero-trust implementation strategy, said Simmonds. “It’s an architectural strategy and you need to design internally with an Internet mindset because if you can make it work on the internet, it will work better and more securely for the intranet.”

Although it will vary from business to business, Simmonds said security leaders may decide to opt for HTML 5 delivery by default, vulnerability analysis on everything, using identity attributes to deliver security via adaptive authentication, segmenting front-end legacy systems and devices, and adopting a “fix once and fix it properly” mentality.

He added: “The business reason for adopting a zero-trust approach is that it works and that security likes to say ‘yes’ instead of ‘no’.”

Read more on IT risk management