Maksim Kabakou - Fotolia
Security Think Tank: Ask yourself if zero trust is right for you
In theory, the elimination of trust on the network simplifies IT security, but zero trust also brings new complications and new challenges. How should CISOs go about moving their organisations from traditional network security to a zero-trust architecture?
Digital transformation means today’s organisation is no longer limited to undertaking its operations within the confines of its own network. But this paradigm shift, which includes adopting cloud-hosted systems and services and outsourcing core business processes to expert technology partners, blurs the lines of control and responsibility for the devices, systems and applications that reside on this extended network. The result is an exponential increase in security challenges.
This is exacerbated by shadow IT, as individuals and departments purchase technology that, although it enables their roles, is outside the remit of the IT department and therefore not subjected to the organisation’s standard security processes.
These changes are eroding the usefulness of the traditional perimeter-based tactics of network security. Instead, the focus is on securing what actions can be performed within the network, with the zero-based trust approach to internal permissions assuming that even authenticated users could act maliciously.
But while zero trust may be a straightforward concept, because its premise is to mistrust everything, it can be complex and resource-hungry to implement and manage. It may also introduce a level of security that is over and above the real needs of the business, thereby compromising operational efficiency with security that is both heavy-handed and superfluous. The initial consideration should therefore be whether zero-trust architecture is a requirement or an aspiration for the enterprise in question.
Whether inbound and outbound traffic can be controlled is a key factor. For example, a strategic decision to allow customers to see stock availability via web shops requires inventory details to be publicly available, and therefore visible to non-trusted people. Similarly, governments in some countries can legitimately request access to corporate data, while in other regions, technical encryption levels are not adequate. The decision whether to pursue a zero-trust policy will come down to the organisation’s risk appetite as well as what is technically possible.
Risk-based approach
If zero trust remains a strong objective, it is important to acknowledge that implementing it as a single step-change is impractical, and potentially impossible. The volume of exceptions and business disruption likely to result from them, not to mention the direct costs of the implementation, make it unrealistic, at best.
Therefore, it is important to use a risk-based approach to identify which applications, servers, devices, users and data need to be protected. Those that are more critical to the organisation should be prioritised from a control perspective so that defences are enhanced and zero trust introduced. Operational processes can then bed in, while exceptions are contained to critical assets only.
At the same time, this acts as a prototype for the rest of the network and a “core” around which devices are built. Critical applications with the most high-risk and complex threats will be enhanced first, thereby providing the best investment value. The key is to understand what needs to be done and how aggressive it should be.
Prioritisation also determines the roll-out approach, with security operations and monitoring on key areas of the network increased gradually and additional security (access-driven malware scanning, for example) on business-critical applications introduced based on criticality.
Technical specifications
The technology systems selected and deployed need sufficient power to monitor and detect everything – known and unknown – that might be mistrusted. In general, although one-stop solutions can seem appealing, they are likely to be more costly and difficult to implement and operate in the long term.
Applications and devices that have zero-trust capabilities built in prevent additional work, but legacy systems, which may require extra components in order to comply with the model, also need to be accounted for. Solutions need to be scalable to match business growth, as well as future-proofed, so they can evolve at the same (rapid) pace as the threat landscape.
Trusting nothing results in an extensive amount of exceptions to the defined goal. Monitoring resources therefore need the manpower and bandwidth to respond to all incidents that are raised to avoid business disruption or an immediate erosion of the trust objective.
Zero trust in practice
Strong identity management and device management are essential. Users and devices that are not recognised by the system in which they are required to operate should be rejected from accessing anything.
Mapping data flows shows how things are accessed and updated, and where data comes from and goes to. Applications that don’t need to be online or to access file servers can be blocked.
Despite the best intentions to include all business processing activities, elements can be missed. Previously unknown “key” business process steps are often identified at this point, flagged by the disruption caused through suddenly disabling an application whose function is still required.
Shadow IT environments amplify the likelihood of this happening because IT security teams are more likely to unilaterally block a business solution without warning if they don’t know about it. Repairing the service requires IT to react rapidly to update the false positives flagged by zero trust, while business representatives must learn quickly about using the technology in a way that is secure – and, in the longer term, the need to engage with IT security and operational teams earlier and more effectively.
Data flows between different parts of the network, applications and the internet can be managed in one place with data integration tools. Assuming that the non-technical information, such as business justification and agreed contractual terms, also flows effectively through the technical channels, this enables appropriate protection protocols to be deployed.
Regular device discovery checks ensure that no rogue devices have been connected, but they need to be reinforced with plans to deal with any unexpected devices, should they appear. Correctly set-up identity and device management should prevent unauthorised communication with anything, but rogue devices can lead to other controls being bypassed, or can indicate that the business has made a change without updating the IT security team.
An organisation’s network needs to change as the organisation evolves. A zero-trust model must adapt to the introduction of new applications or new access methods without compromising the zero-trust status of the rest of the IT estate.
Drives for business effectiveness and efficiency increasingly demand porous network perimeters. Zero-trust architectures offer a modern-day solution – but they are not a panacea. Like all IT investments, they require robust assessment to ensure they are the right “fit” for the organisation and the security problem in question.