Challenge Everything, Trust Nothing: What Boards Should Know About Zero Trust
Traditional enterprise security models rely on trust. If a user can be trusted, that user gains access to the corporate network and everything attached. In this “castle-and-moat” model, hardware-based security protects the entirety of the self-contained, corporate-owned network, with access managed via hardware gateways.
But the castle-and-moat model was designed a half-century ago to secure work performed on-site, inside a secure office building. Employees today work outside the corporate castle walls on the Internet or in the cloud—and even from home. On top of that, more security challenges exist now than ever before—which means more expensive hardware stacks housed close to users.
Recent cyberattacks—such as the one against meat-processing company JBS—highlight the castle-and-moat model’s shortcomings: security is only as strong as its weakest point (say, employee vulnerability to phishing emails), and once network security is breached, every system connected to the network is put at risk. The model’s biggest limitation is perhaps its lack of security awareness. Information technology (IT) leaders relying on traditional security models often have no way to measure the “secureness” of their environments. In fact, most don’t know that their companies have been hacked until they see evidence (such as ransomed data) in the aftermath of an attack.
Zero trust is a more effective solution for preserving enterprise cybersecurity. In concept, zero trust is a framework for protecting enterprise data, applying least-privilege access controls and effectively dissociating security from the corporate network.
Zero Trust in Theory
In 2010, Forrester security analysts outlined a new approach to cybersecurity, one that took it out of the realm of network-perimeter controls and applied it to all data in motion. Zero trust posits that all data traffic from anyone, to anywhere, via any route is potentially hostile and challenges data legitimacy at every stage of travel.
Zero trust is further characterized by four key tenets:
Any level of authentication requires least-privilege access for everyone and everything, everywhere: no implicit trust is ever issued to users, devices, or workloads.
Whether joining user to application, application to application, or workload to workload, connectivity is direct and ephemeral, relying on micro-segmentation at the application level without network segmentation.
Applications, users, and corporate systems remain obscured from the open Internet.
The Internet is the new corporate network.
As far as security terms go, zero trust is an attractive proposition. If hackers exploit trust, security leaders minimize the issuance of trust to reduce cyberattack risk. But when first introduced in 2010, the zero trust concept was ahead of its time and its commercial adoption was slow to take off. Legacy security architectures could not easily scale—or easily be reengineered—to accommodate a dynamic, follow-the-data security model.
Zero Trust in the Real World
A decade after its introduction, zero trust is surging in practice and in promotion as a way to secure the new cloud-first, device-agnostic, remote-access way of working. Employing zero trust in an enterprise environment forces leaders to rethink network connections.
With zero trust, individual connections are isolated, ephemeral, and direct, supplanting the traditional notion of an “always-on, always-open” corporate network. Security is applied via proxy and tailored specifically to each instance of connectivity. The proxy—a cloud-based system, ideally replicated near each user location—inspects, assesses, and secures each arriving or departing packet of user data, effectively shielding an end user from attack and visibility to threat actors.
In August 2020, after extended consultation with a consortium of cybersecurity industry experts, the US National Institute of Standards and Technology (NIST) issued its guidelines for a zero trust architecture (ZTA). The NIST standard emphasizes two requirements for a modern ZTA: security is based on policy and security is delivered via proxy.
For example, a user logs on remotely and goes directly to a nearby cloud-based proxy that authenticates the user based on business policy as defined by enterprise management. From there, the user connects directly to authorized resources—and only authorized resources.
In the NIST-defined ZTA model, there is no trust associated with this because there is technically no network access granted—users connect only to specific, individual destination resources, such as a website or corporate application. Data coming in to the individual user is also challenged, with scalable security delivered at that proxy-based cloud service edge. Nothing bad gets in, and nothing bad goes out.
Less Exposure, Limited Blast Radius, and Comprehensive Monitoring
In a ZTA environment, the Internet acts as the equivalent of a network backbone. Data—blessed by proxy-based security policy—travels directly to its destination, including corporate data centers or private, cloud-hosted resources, via Internet exchanges, alleviating an organization’s need to own and manage physical network infrastructure.
Threat actors attack what they can see. A ZTA model obscures each individual device, system, user, application, and workload behind that scalable, cloud edge, proxy-delivered security. And that presents quite a disincentive to hackers.
In addition, since the network is effectively supplanted, potential damage is minimized. If an attacker somehow breaches the zero trust defense, that threat actor (or the threat actor’s malware) cannot move laterally to other systems within an organization. Contrast that to recent ransomware attacks, in which cybercriminals who breach a perimeter are able to move from system to system within the corporate network and seize data with impunity.
Perhaps zero trust’s most compelling security benefit is the control it provides, particularly when it comes to monitoring. In a ZTA environment, resources may be invisible to the outside world, but data traffic is comprehensively visible to management. This enables IT leaders to audit cloud and Internet access and manage traditionally rogue IT activities, such as unauthorized third-party development or uncontrolled outside-the-perimeter work.
What Boards Can Ask Management
Cyber risk is business risk, and cybersecurity management is an executive imperative. Board members have the opportunity to guide their organizations into a cyber-secure present and future, starting with addressing the following questions with management:
Who in the organization owns cybersecurity, including its measurement, operations, and planning?
What is the organization’s risk exposure?
How does the organization measure threat posture?
Where is the organization on the journey to an NIST-compliant ZTA?
Given today’s increasing frequency, risk, and potential severity of global cyber threats, zero trust adoption can no longer be a question of when, but rather, “Why not yet?”