Zero trust: Default is deny

  • By Leonard Kleinman, Chief Cyber Security Advisor, RSA International

RECENT global challenges have seen many organisations survive by going digital and adopting a blend of on-premises, work-from-home and third-party collaborations. Internet and streaming media use are rising. A rapid shift to distributed work, along with radical changes in human behaviour, is creating new and extended digital risk for organisations as well as great opportunities for malicious actors. The reality of going digital is that it requires anywhere, anytime access to any system, regardless of the location of the users and/or the devices.

If "necessity is the mother of invention", then these challenging times have been a significant force - necessitating myriad changes to our daily lives.

Re-enter Zero Trust. While not new, its historical roots evolved from the principle of defence-in-depth and it gained significant exposure around 2010 when Forrester researcher, John Kindervag espoused its virtues. I learnt many years ago that timing plays a large part in the take up of new ideas. Sometimes ideas can be too early for the environment; maturity of thought is just not conducive for a new way to be embraced. Perhaps the timing is right for Zero Trust now.

Society has long embraced the concept of trusted systems, and this trust in our systems is where the vulnerability and opportunity for exploitation lies. The Zero Trust approach gives us that all-important rule for establishing and maintaining a secure work environment: 

‘Trust nothing and treat everything as hostile – this includes the network itself, any host, any applications, devices, people or services running on the network.’

The impacts of digital transformation mean the adoption of new technologies and services such as cloud, mobile, remote workforce, IoT, containers, are all expanding the corporate network. Boundaries have been turned inside out in today’s networking paradigm and require a different way of looking at them. The Zero Trust approach to cybersecurity puts an end to the old ‘castle-and-moat’ mentality; a long-held methodology where organisations focused on defending their perimeters while assuming everything inside is ‘trustworthy’ and therefore, automatically cleared for access. Essentially, we trust way too much.

About the only thing an organisation really owns or more accurately, is responsible for, is data. The Zero Trust approach of ‘continuous verification’ wraps tighter controls around data, reducing the risk of unauthorised access, manipulation and movement of data – including malicious software. The opportunity for lateral movement is significantly reduced. This means your scarce security folk can focus efforts on monitoring and inspection of the data and the application of appropriate access control methodologies.

There is also the added benefit of reduced cyber risk through the reduction or even elimination of shadow IT. With Zero Trust, anything new cannot just appear on the network and start communicating. Everything in a Zero Trust network, applications, devices, services, hosts, users, must be authenticated before being allowed to communicate and function.

Zero Trust relies on a range of existing technologies together with the right governance processes to achieve its mission of securing the organisational IT environment, including:

  • Technologies, such as multifactor authentication, Identity and Access Management (IAM), file system permissions, orchestration capabilities, analytics, encryption; and
  • Governance policies and rules, such as giving users the least amount of access they need to complete their job or specific task, known as the principle of least privilege.

It requires organisations to leverage internal and micro-segmentation (dividing the network into multiple segments or subnets), and enforce a granular perimeter based on the user, their location and other collated data to determine whether to trust a user, a device or application seeking access to the enterprise. This naturally flows from the principle of least privilege, which limits access on a need-to-know basis.

The final overlay is strong conditional policy enforcement. Policy specifying that someone can now have access to something via a specific device.

When it comes to implementation, each organisation is different and so the approach needs to be tailored accordingly. Some simple considerations would be to start with the assumption that the network environment is compromised – a strategy I recall using in 2012 back in my Federal government days with the Australian Tax Office. From here you start designing and implementing constructs to reduce the impact and consequences in such a situation. Back then it was a totally foreign idea but very effective.

Secondly, enabling extreme visibility is essential in managing and controlling the network. Extreme visibility allows you to perform essential discovery and classification of all items on the organisational network – a Zero Trust requirement. Additionally, it permits continuous monitoring and analysis for events of interest by inspecting all traffic as part of your day to day operations.

With visibility enabled, you can now map all the organisational data flows, grouping them into functional buckets of applications, users and devices. You will need to verify the findings through stakeholder engagements, to truly understand what data flows are acceptable and which should be investigated further.

Finally, as mentioned earlier, construct your segmentation strategy and implement it. Segmentation reduces the impact of an attack by reducing the attack surface through the creation of smaller internal networks. It also forces you to define and understand the optimal transaction path associated with legitimate data access and usage.

Zero Trust is not just about technology; it is about process and mindset, more so a philosophy. The good news is that many organisations are already using many elements of Zero Trust. It is about using these current elements and other technologies to enforce that all-important rule: trust nothing, and nothing has access until it has been verified.

The key point is that Zero Trust is about the elimination of trust and by eliminating trust, organisations seek to eliminate the failure of trust – the exploitation vector for all cyberattacks.

Learn more at an upcoming webinar on 5th November 2020 - Register to attend live or for the on-demand video.

RSA is a Gold Sponsor for AISA's 2020 Risk and Cyber Week virtual conference from November 9-13. REGISTER >>

Leonard Kleinman: Trust nothing, and nothing has access until it has been verified.