Maksim Kabakou - Fotolia

Security Think Tank: Zero trust is complex, but has rich rewards

In theory, the elimination of trust on the network simplifies IT security, but zero trust also brings new complications and new challenges. How should CISOs go about moving their organisations from traditional network security to a zero-trust architecture?

One of the main criticisms cyber security professionals hear about zero trust is the challenge to truly have a fully fledged implementation in place – which is definitely true. But what most organisations don’t realise is that they actually already have most, if not all, the pieces of the technology stack to fully implement zero trust.

The true cost of zero trust will mostly lie within the planning, engineering and operational aspects of its implementation.

The job for each organisation’s CISO will be to understand which aspect of zero trust will be the most challenging to implement for his or her own organisation because each organisation has its own unique challenges.

Also, those organisations will most likely have even more unique and dynamic challenges when it comes to security – and meeting all facets of zero trust can seem like a daunting task.

ACT-IAC has published a great article identifying each of these aspects and summarising the facets of zero trust into common pillars. For example, if CISOs and their teams are striving for a true zero trust implementation for their organisations, they will need complete visibility of their system/asset inventory.

They will need to know what assets they have, who has access, who is responsible for the assets and what type of information they contain.

As seen in most cyber security attacks or breaches, it is often a single compromised asset, such as a server or device, that, if undetected, can (and usually does) lead to an incident, breach or attack. The management and visibility into all the organisation’s assets would fall under the Devices Pillar – and is quite challenging in our ever-evolving and dynamic environments.

In my line of work as a cyber security consultant working with various end-users, one aspect that most organisations already have in place is the capability of strong authentication, which falls under the Users/Identity Pillar. Strong ongoing authentication of trusted users is paramount to zero trust.

ISACA has a great webinar outlining the importance of identity and why it is one of the foundational layers of zero trust. The type of technologies that fall under this category include identity, credential and access management (Icam), multi-factor, or any other strong authentication that includes a strong emphasis on being able to validate that claimants are who they claim they are.

Identity and devices are just two of the pillars of zero trust. The remaining pillars include network, applications, automation and analytics – and myriad ways to implement zero trust from network micro-segmentation (lots of small firewalls), software-defined perimeters (lots of small VPNs tunnels) and/or (but certainly not limited to) identity-aware proxies, which is essentially next-generation web access management.

With the various environments, services and implementations out there for each organisation, the chances are you will either use all or a combination of these methods for zero trust.

For a true zero-trust transformation, CISOs maintaining and managing legacy infrastructure will face even more challenges and will need to identify all legacy infrastructure and devise a strategy to deal with any and all legacy assets. CISOs will need to plan to replace the asset, upgrade the asset, isolate the asset on an isolated network or through network micro-segmentation, encapsulate insecure protocols, leverage a data diode solution, or a combination of those steps.

CISOs also will need a long-term, business-driven strategy and not a rip-and-replace method, which may sound like a good idea for a quick implementation of zero trust, but in practice is inherently flawed, as the source design or method often does not match the design of the end purpose.

CISOs will need to begin thinking beyond security and focus on actual business enablers, such as the reduction of overall infrastructure complexity, enterprise mobility and compliance. CISOs should have already identified the organisation’s key assets and biggest risks, and expect to reuse and incorporate existing security, monitoring and orchestration tools.

The other criticism we often hear from CISOs when zero trust is brought up is that it functions well in a culture that inherently does not trust, and for organisations in commercial or private sector businesses, the “trust but verify” model is a more amiable and appealing model.

At first glance, that may seem to be the case, but zero trust is much more flexible. If implemented appropriately, some would argue that zero trust can be much more user-friendly than the former “castle and moat” perimeter approach.

One does not need to look any further than Google’s implementation of zero trust, BeyondCorp, to recognise that proper planning and strategy is critical to a successful transformation, resulting in ease of use for all parties involved.

Organisations must recognise that migration to zero trust can’t be done overnight. The process needs to be multi-layered and incremental, with various stages of information-gathering, trial deployments, corrections to processes and technology, and exceptions and remediation when necessary.

The process will require changes to many, if not all, layers of the stack, networking, security, clients, and back-end services. Organisations will need to partition the changes in order to make progress independently at different layers to make the multi-pronged implementation more approachable and manageable.

Most importantly, this undertaking affects the entire company. Getting all stakeholders aligned and keeping everyone informed will require commitment and buy-in from all levels of management.

Make no mistake, a true zero-trust implementation will require energy, time and resources, as do all noteworthy efforts, but zero trust also has the potential to provide a seamless and secure experience, if done right.

CISOs will want to begin evaluating the return on investment on implementing zero trust within their organisation, but in most industries, this shift is already beginning. For those supporting or providing services to any federal government entity, the move to zero trust is inevitable, as it is already being discussed within the Federal Risk and Authorisation Management Program and Cyber Security Maturity Model Certification communities and industries.

Bhanu Jagasia is a technology and security consultant, and a specialist in security assurance and risk who is based in Washington DC. Currently director of federal cyber security services and risk management at Emagine IT and CEO of his own consultancy, he writes on behalf of Isaca.

Read more on Identity and access management products