Today, Zero Trust is the subject of much discussion and debate; for instance, is Zero Trust doable in reality or more so in theory?
As many are aware, Zero Trust is a concept that deems everyone (employees, freelancers and vendors) and everything (datacenters, applications and devices) must be verified before being allowed into a network perimeter – whether they are on the inside or the outside of an organization.
The onslaught of COVID-19 with its work from home mandates, along with accelerated adoption of cloud computing, and the a considerable uptick in security breaches, created the perfect storm and, arguably, the necessity for the wider adoption of Zero Trust when it comes to securing access. But there are still naysayers, those who may not believe it is achievable to instill Zero Trust access to on-premise resourecs and in the cloud applications.
The fact is, Zero Trust is achievable for multi-cloud and hybrid IT environments. There are many solutions that the enterprise can easily adopt, without necessarily breaking the bank or even having to redo their entire network infrastructure. That said, achieving Zero Trust does require a few newer security technologies to help justify and expedite the implementation of Zero Trust including the following: machine learning, CARTA and Software Defined Perimeters.
But first, let’s look at how Zero Trust became a necessity in today’s world.
The blurring of the network perimeter
It was not that long ago when organizations appeared to have clear cut boundaries between who and what to trust. For instance, anyone or any device on the “inside” of the four walls of an organization or the network perimeter was deemed trustworthy. Likewise, any applications, devices or vendors on the “outside” would need to have their identities and credentials checked.
But, in the past few years, several trends blurred the lines between the inside and the outside of the network perimeter. Even before COVID-19, cloud adoption and the number of employees working remotely necessitated a new approach. In addition, several high-profile security breaches that originated from inside organizations, such as Snapchat, made it clear that security polices needed to change, and that the attack surface had expanded to the inside.
As such, by late 2019 and early 2020, more organizations were looking to deploy Zero Trust. According to the 2020 Zero Trust Progress Report, it was reported that 72% of organizations planned to implement Zero Trust capabilities in 2020 to mitigate growing cyber risk.
Cloud computing and COVID-19 accelerated zero trust adoption
While many organizations put “deploying Zero Trust” on their “to do” list in the beginning of 2020, the start of COVID-19 sped up Zero Trust adoption considerably.
As hundreds of millions of employees rapidly moved from working from within their offices to their living rooms and kitchen tables in early 2020, cybercriminals found a new calling: instead of looking to penetrate a company’s router or firewall – they found it much easier to target employees as they attempted to log onto their company networks. This required organizations to focus on only on the suddent increase in remote access capacity, but also how to fortify their endpoint security capabilities to mitigate identity theft, malware and network breach risks. This also spurred the opportunity for leaders to rethink their entire secure access solution stack – strategically.
Additionally, a recent survey reported that 40 percent of enterprise tech managers around the world began accelerating their move to the cloud, with a whopping 39 percent expected to be 100 percent in the cloud.
Machine learning allows organizations greater oversight in user activity
Machine learning in secure access solutions allows organizations to procure greater oversight into who is accessing what and where as well as if a user is performing normal activity. Machine learning can also help ascertain whether a user is acting in a way that can be potentially malicious or suspicious. For instance, machine learning monitors all the resources in a data center to ascertain what is reasonable and “normal” behavior for an organization’s users – and therefore should an anomaly occur – it can be flagged by the administrator.
These use cases can then become part of an algorithm that can identify potentially “odd” behaviors.
By noting both normal and strange behaviors over time, if something out of the ordinary should occur, it can be proactively identified before it becomes an issue. A few examples might be someone accessing an HR system for the first time – which could raise a red flag. Or perhaps a user logs on from Los Angeles but then an hour later, the same user logs on from Paris – that disparity is noted.
CARTA: Gartner’s continuous adaptive risk and trust assessment
Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) framework allows organizations to assign a risk score to its users – instrumental to the concept of Zero Trust. CARTA augments contextual and identity-centric policies with built-in User and Entity Behavior Analytics (UEBA) whereby attributes for every session are monitored and assessed. By applying proprietary risk scoring algorithms to identify non-compliant, malicious and anomalous activity, an organization can take proactive and expedited threat mitigation actions.
For instance, if a user logs into the network for the 500th time from a device – the risk score is relatively low. If the same user gets a brand-new device and logs on for the first time, the risk score rises.
CARTA helps IT administrators figure out via a risk score, which users can be trusted, and which should be called out and flagged. Organizations should look for software that is compliant with this framework.
Software defined perimeter – An extension of zero trust
Software Defined Perimeters (SDPs) are an extension to Zero Trust which removes the implicit trust from the entire network perimeter. A decade or so ago, we had what is called the “fixed” network perimeters – in a nutshell, one way in and out. As discussed earlier in the article, the network perimeter has expanded with cloud and SaaS applications stretching the perimeter way beyond what could have been imagined 20 years ago.
As such, Network World writes “…A new approach was needed that enables the application owners to protect the infrastructure located in a public or private cloud and on-premise data center… and a user must authenticate before visibility of the authorized services is made available and access is granted.”
The Cloud Security Alliance notes that SDPs use Zero Trust to “…provide access to application infrastructure only after device attestation and identity verification.”
“…Regardless of whether they are inside or outside the network, (users can) connect directly to resources, whether they reside in the cloud, in the data center, or on the internet; all without connecting to the corporate network,” according to an April 2019 white paper on zero trust by the American Council for Technology.
It is no secret that COVID-19 has accelerated many trends that have necessitated Zero Trust. The wide adoption of cloud computing, the uptick of cybersecurity attacks and what will be the next transition from the home office to a hybrid workplace, organizations are moving forward with the combined controls and new technologies to make Zero Trust a reality.
There are some who may feel that Zero Trust is a lofty concept that cannot be easily applied especially when cloud computing is thrown into the mix, but the truth is that there are new solutions out there allowing companies to secure access not only the datacenters, but the cloud and SaaS applications as well.
Thanks to the application of machine learning, CARTA and SDP, the advantages of Zero Trust can be realized by organizations large and small.