While the approach of Zero Trust may become a reality to some organisations over the course of 2022, but for most organisations it will mostly exist as an aspiration. Others will claim success simply by applying a few of the many principles of Zero Trust in practice. That said, it will almost undoubtedly be a slow journey to get there.
What is Zero Trust and why do we need it?
The theory behind zero trust fundamentally changes how we perceive threats. Conventionally, we perceived bad actors as being on the external side of the network (or rather the untrusted side) and viewed everyone sitting on the inside, (or trusted side) to be both known and therefore trusted.
In today’s cybersecurity climate, this a very dated mindset. Unfortunately, it still the status quo for many organizations. This thinking goes back in time to the days where clear perimeters existed, and the only way into the network was through tightly controlled channels. And even those ‘tightly’ controlled channels were not always secure or even the only way in. But the model worked to a degree, and defence-in-depth was born. Based on the continuous growth in the number of vulnerabilities and increased sophistication of both hackers and TTP (tactics, techniques, and procedures) that we see today in our complex digital ecosystem, clearly something needs to change. Enter Zero Trust.
‘Trustworthy’ users can inadvertently let the bad actors in.
Evidence of successful data breaches and cyber-attacks has shown us that bad actors can operate from within the network on the so-called “trusted” side. This design is something that attackers can leverage to their advantage and can often go undetected until it is too late. Often, the so-called ‘trusted’ users are unaware that an attacker may have used their user identity. The actors may be silently in the background relying on the users’ privileges to infiltrate and move across the network to access sensitive data and critical systems, undetected as it might otherwise seem normal.
Zero Trust is an approach that flips this on its head. It changes the model to one that applies the “least-privilege” principal by default, categorizing all users as automatically untrusted from the outset. Therefore, to access any resource, the user must be identified and authenticated before gaining access and privileges for that application, system, or resource.
Government entities increase pressure to adopt Zero Trust principles
Zero Trust is not going away. In fact, government entities are increasing the pressure. For example, The Executive Order on Improving the Nation’s Cybersecurity issued by the White House in May 2021, made the federal government’s position clear on the need to advance Zero Trust. Just a few months ago, it also announced the Federal Strategy to move the U.S. Government itself towards a Zero Trust architecture.
As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said CISA Director Jen Easterly. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity1
The same goes across Europe where EU organisations are equally being encouraged to adopt Zero Trust principles with the latest revision of the European NIS directive, NIS2.
Concern about maintaining business operations stunts Zero Trust framework adoption
We can’t deny that a methodology designed to establish different levels of trust as additional access and movement is required and is entirely logical. However, implementing a complete zero trust model successfully, as it is defined, is largely impractical in the real world, thereby an unrealistic objective for many organizations.
That’s not to say Zero Trust is unrealistic to achieve because it’s flawed or doesn’t work but applying the theory to practice in the real world is just difficult. In the real world, enterprises face many challenges: fragmented infrastructures, legacy systems, bespoke applications, visibility, cloud environments, existing transformation, migrations, and more.
Businesses are reticent to make changes that impact important organizational operations. This impact must be considered when changing how an infrastructure behaves and how users (employees, customers, partners) interact with these services.
When considering operational impact, re-defining and re-designing access and privileges is extremely complex. Thus, Zero Trust has often been considered “hype” instead of “reality” due to the difficulty level of implementation.
Zero Trust will become the new best practice benchmark
Enterprises should look to identify areas of their networks and critical assets where zero trust is achievable. They can then apply Zero trust principles to make solid improvements to increase their security posture efficacy overall. Those that make inroads – even incrementally – will be much more successful in preventing a security breach over the next few years.
Over the next few years, many enterprises will set zero-trust security objectives in their strategy, with established metrics to evaluate and measure success. The organizations that fail to take this initiative will continue to leave parts of their critical infrastructure open and susceptible to sophisticated attacks, not to mention the steady increase in cost for managing and operating a suboptimal defense strategy over time.
Zero Trust will become the new best practice benchmark, particularly for organizations undertaking cloud transitions and migrations to cloud services. In this case, defining trust models and data access within cloud environments becomes more practical and achievable.
Advance your Zero Trust network strategy with the Skybox Security Posture Management Platform
Skybox Security can help you establish and maintain a Zero Trust framework, by providing visibility and a continuous understanding of your hybrid networks and the attack surface across all environments. You need to model and analyze your network, cloud, and security configurations together. This context helps you make informed decisions about what critical assets to protect with Zero Trust, how to properly design the network environments, and what specific policies need to be applied. Once the Zero Trust architecture is established, continuous and adaptive modeling of the hybrid networks is necessary to effectively maintain the Zero Trust posture.
Skybox can help you advance these five key areas of developing and executing a Zero Trust strategy:
1.) Determine where to focus your zero trust efforts.
With Skybox you can aggregate and consolidate data sets that reflect the current configurations of your hybrid infrastructure, all your security controls, and endpoints. You can then identify the critical assets, applications, data repositories and infrastructure that will comprise your Zero Trust zone.
2.) Model your hybrid network.
By understanding your network connectivity, combined with your network and security configurations, you will know what you are starting with. Then you can visualize and assess your security efficacy and develop your Zero Trust strategy.
3.) Architect for Zero Trust.
Develop and optimize segmentation strategies, as well as configure and optimize your network and security technologies.
4.) Establish and validate Zero Trust policies.
With Skybox you can automatically assess policies for exposure risk and compliance. Validate policies using a network model.
5.) Monitor and maintain.
Leverage a network model to continually monitor your hybrid networks. Validate changes before they go live to ensure compliance. Automate change management processes and align with your Zero Trust architecture.
(1) Office of Management and Budget Releases Federal Strategy to Move the U.S Government Towards a Zero Trust Architecture. The White House Briefing Room, January 26, 2022.