Given the ongoing, rapid rise in digital transformation, the “zero-trust” concept is fast gaining traction as the go-to strategy for securing modern business networks.
Zero trust refers to the notion of shifting access controls from the perimeter to the individual users and their devices. Thus, these frameworks involve evaluating the security risk of devices and users within context at any given moment, without automatically conferring network privileges or providing default access based solely on credentials.
The idea addresses the fact that business applications and data are now digitally dispersed far and wide, away from the corporate premises. And yet, organizations feel somehow compelled to make access to these digital systems as flexible and convenient as they can, in order to cater to an increasingly mobile workforce.
It has become axiomatic that legacy network defenses, focused as they are on erecting a moat and castle walls around on-premise systems, simply cannot preserve the integrity of operations in digitally advanced business networks.
Thus, zero trust is fast becoming a mantra in cybersecurity circles, with suppliers of multi-factor authentication (MFA) identity and access management (IAM) identity governance and administration (IGA) and privileged access management (PAM) systems all integrating zero-trust architectures into their core technologies.
Meanwhile, technology research firms Gartner and Forrester have both launched full coverage of the space. Gartner refers to the discipline as Continuous Adaptive Risk and Trust Assessment, or CARTA; and Forrester calls it the Zero Trust Extended, or ZTX, ecosystem. In another sign that zero trust is moving into the mainstream, Cisco recently acquired Ann Arbor, Mich.-based Duo Security, a fast-growing supplier of cloud-based multi-factor authentication systems, for $2.3 billion. That move has been widely seen as an effort to add zero-trust horsepower to its expanding portfolio of security services.
However, implementing zero-trust is not without its challenges. As the idea gains mindshare, companies are discovering that authenticating users on a more granular basis isn’t as simple it may seem. It requires taking a full accounting of all internal and public-facing business systems, reviewing and updating existing security policies and then dialing in just the right amount of automated security controls to restrict access to key systems, all without annoying the workforce.
“This is definitely not a checkbox exercise,” said Tapan Shah, managing director of Sila Solutions Group, a Washington D.C.-based technology and management consulting firm. “Zero trust is all about making sure the right people have the right access, for every layer including user, application, data and network.”
Trust Tiers
As a concept, zero trust can be traced back to a group of IT security pros calling themselves the Jericho Forum, which first convened in 2003 to discuss the erosion of traditional network defenses – what they referred to at the time as “de-perimeterization.” In 2010, then Forrester Research analyst John Kindervag coined the term “zero trust,” and defined it succinctly as “never trust, always verify.” Kindervag’s remains a zero-trust advocate; today he is field CTO at Santa Clara, Calif.-based security platform supplier Palo Alto Networks.
“So [the system] might say, ‘If you’re an employee looking at the cafeteria menu, we don’t care what device you’re using, and we’re not going to try too hard to validate you, because the stakes aren’t high,'” explained Wendy Nather, head of advisory CISOs at Duo, who has written a white paper on the subject. “But if you’re an enterprise resource planning administrator logging into an application, it will say, ‘We’re going to be sure that you’re using a corporate managed device, and that you’re using multi-factor authentication every time you check in.'”
The idea was really pushed to the fore by Google, which in one fell swoop in 2013, completely jettisoned the traditional VPN-based remote access system it had been using for its employee-facing applications. The search giant instead replaced it with something called BeyondCorp.
BeyondCorp assumes no traffic within Google’s internal network is any more trustworthy, by default, than traffic coming in from the outside. It continually validates users and devices, and applies end-to-end encryption between the devices and the resources that they seek to access. What’s more, users are granted “least privilege” – i.e., only enough access to accomplish the task at hand.
“Google’s zero-trust deployment established defined levels of sensitivity and different levels of trust,” said Nather.
It’s no accident that Google stepped up planning of BeyondCorp not long after the search giant publicly disclosed details of Operation Aurora, the systematic hacking of Google and dozens of marquee U.S. corporations by attackers with ties to the Chinese military. In Operation Aurora, as in countless other major breaches, the attackers took full advantage of weak access controls.
To its credit, Google recognized this exposure for what it was — and moved dramatically it do something about it. The search giant, of course, had the engineering talent and resources to move comprehensively to replace its VPN-centric access controls with leading-edge zero-trust architecture. Other organizations may need to take a more incremental approach.
Implementing Zero Trust
Many organizations have long been using IAM, IGA and PAM solutions to meet various compliance requirements, zero-trust schemes bring all of these together – and involve the adoption of advanced features that increasingly tap into machine learning and behavior analytics. This in turn means that companies must make practical decisions about which innovations can materially reduce security exposures, without unduly disrupting the workforce flexibility and agility they are likely striving to foster.
In other words, embracing zero trust will involve methodical planning and taking a measured approach to technology adoption.
“For most organizations this will be a journey,” said Sila’s Shah. “We call it getting on a verification continuum.”
It’s now possible, for instance, to amass granular histories of the computing devices used by any particular employee. Policy decisions can be set to trigger based on whether the employee is using a corporate owned and managed device, or a personal device. If the user decides to try to use a personal device to access a company application or data base, a policy can be enforced requiring the employee-owned device to meet certain security hygiene standards, for instance.
SailPoint Technologies, an Austin, Tex.-based supplier of IGA systems, has been increasingly using machine learning in this way. “With any of these technologies, you’re looking for the outliers,” said Mike Kiser, global security advocate at SailPoint. “If users in a group all serve similar roles, then they should all have similar levels of access. But if one of my engineers suddenly gets access to a marketing database in Botswana, I probably want to go take a look at that and perhaps remove that access.”
Similarly, Centrify, a Santa Clara, Calif.-based IAM supplier, is honing behavior analytics systems that can closely monitor all access requests and keep very close track of specific usage patterns and activities for every user. If an access request by any user turns up which is out of the norm, a policy can be automatically enforced requiring use of a variety of forms of multi-factor authentication to log on.
“Machine learning allows you to identify these things and take action in real time,” said Andy Smith, vice president of product marketing at Centrify. “I can look at commands that may be running and identify things that no human looking through logs would be able to identify.”
At the same time, in moving to deploy zero-trust systems, companies should not overlook the usability aspects of any system; most learn quickly how important it is to assess what their employees, partners and suppliers will tolerate, said Duo’s Nather.
“For CISOs it’s about trying to find the right balance,” Nather said. “‘How often do I need to ask for these extra factors of authentication? How long can I remember my employee’s device before I have to track it again, because the risk has gotten higher?’ Zero-trust enables companies to give a consistent experience to their users, which is important because it will keep them from getting cranky.”