As digital-based technology advances in complexity, traditional cybersecurity loses its potency, leaving many businesses vulnerable to exploitation. These unintended consequences worsen from cyberattacks which continue to increase in frequency and sophistication. Businesses of every size and industry can no longer afford to rely on obsolete security practices while the cost of cybercrime skyrocket to $6 trillion in 2021.
The highly prevalent work-from-home model has further strained an already outdated model of perimeter security. Even before the COVID-19 pandemic, companies increasingly turned to gig workers and BYOD, opening new entry points in their systems for bad actors to slip in. It is nearly impossible to find success with traditional security in the new hybrid work environment, even with mobile device management (MDM) and endpoint protection.
The time has come for all businesses in every industry to rethink security, lest they fall behind the curve, especially now that the President passed an executive order mandating zero trust for all government entities. Through SaaS, APIs and other cloud service implementation, alongside a cybersecurity strategy just as agile and modern as any other business practice, corporations can succeed in the new landscape. Pressing the reset button on security is only possible by disregarding the old-school ring-fencing and the rigid firewalls of the moat-castle mindset and embracing the zero trust mentality.
What is Zero Trust?
It’s important to understand that zero trust architecture (ZTA) is not a product or set of products but a strategy, one that businesses can and should recapitulate over time. The National Institute of Standards and Technology (NIST) describes zero trust as an “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” Picture zero trust as the living strategy of defense that anticipates and reacts to enemy attacks rather than an unreactive stationary wall.
In 2009, zero trust first emerged as an information security model for Forrester, who named it the Zero Trust Model. Over time it gained widespread acceptance; the top federal government cybersecurity leaders decided to adopt a zero trust approach. Today, three pillars support the zero trust model: everything is dynamic, permit the least amount of privilege, and watch and verify everything.
Our digital environments are far more dynamic, fluid and complex – ring-fencing alone will not be sufficient. ZTA is more relevant than ever before because the stakes are higher than ever before. With a report by IBM finding that 80 percent of breaches involve customer personally identifiable information (PII), the cost of these breaches, though hard to quantify, will include the deterioration of customer trust. The question that logically follows is, how does an organization move towards a zero trust model?
Guidelines for Moving Toward a Zero Trust Model
Since ZTA is a strategy with multiple applications and practices, it can be overwhelming when examined from a distance. However, underlying the model are straightforward concepts, easily split into ten guidelines:
- Gate with Least Privilege / “Need-To” Only Access: Keep access limited from the beginning and only permit authorized users that actually need access.
- Verify Constantly and Use Smaller Units: Transaction and access tokens must be verified and challenged regularly. Businesses can split up larger units of work to reduce one-time loss, which will also assist the efforts of detection and response teams.
- Automate and Microsegment Network, Workload and Data: Security needs to be interwoven into business processes and architecture from the start – not added later as an afterthought. Network, workload and data must be isolated and segmented to minimize the blast radius and accelerate containment. Additionally, automation must be applied wherever possible.
- Secure Endpoints: Assume that getting hacked is not a matter of how but when. Similarly, organizations should never assume that client endpoints are secure without first confirming that they are indeed safe. Businesses should only transfer necessary information to endpoints.
- Verify Services: Static as well as “by default trusted” binding should not get used on services - as an alternative - companies should align their resource access model with their identity access management (IAM) strategy through all SaaS, API providers and online applications.
- Review Corporate Services: Regardless if the SaaS host is internal or external, all corporate tools need to be united with the enterprise identity model while also supporting fine-grain controls.
- Secure Development Practices: Along with immutable infrastructure, two models that will help businesses align their systems with zero trust are the Secure Software Development Model (SSDM) and the continuous integration/continuous delivery (CI/CD) pipeline.
- Trust No Runtime: Runtime models are not perfect, bad actors will gain access eventually. All runtimes must be strengthened and made unchangeable where possible.
- Trust No Network: A business should never assume that a network is impregnable, even if its employees use a virtual private network (VPN) while on the corporate network. Companies should implement multi-factor authorization (MFA) along with layered security controls.
- Think like a Hacker: Businesses need to think like threat attackers to understand how they operate. By examining their own system from a hacker’s perspective, corporations can see weak points and issues they may not have noticed.
The Four Pathways to ZTA
There are four pathways to ZTA, and although advice varies on which is best, they are all similar at a fundamental level. Here is a summary of the four:
- Identity-Centric Model: This model is the most standard starting point and foundation of the four pathways. Businesses can even add pieces of the other three pathways where suitable. It is ideal because it unifies control identities across an entire ecosystem, including partners, customers and employees. Because so many business operations require access to the internet, it can become impossible to verify security credentials. By linking the user’s identity, device, service or network to the requested transaction, and by leveraging multi-factor authentication (MFA) and challenge-response authentication (CR), this model establishes control.
- Network-Centric Model: The basis of this model is that a company builds distributed and layered network isolation structures. Building these structures is dependent on miscosegmentation or the process of setting up small and well-defined boundaries through a next-generation firewall that is logically spread across an entire enterprise, reaching both on-premise or hybrid cloud coverage.
- Workload-Centric Model: Much like the network-centric model, the main principle of this pathway is that everything, particularly APIs and runtimes, is broken up into smaller units that are layered and secured. Runtimes, for example, get segmented into distinct microsegmentations, contained at properly configured nodes, and tested in sandboxes for monitoring purposes. Another component of this pathway is containerization or breaking down an operating system into units for further segregation preventing bad actors from getting ahold of all parts when they gain access.
- Data-Centric Model: Encryption is vital to protect against unauthorized access and visibility of assets, but it is only as tight as a key management policy allows. Through this fourth model, enterprises can understand where data is coming in and out of their system by breaking up the data into smaller units and assigning them special tags – much like the previous models. With ZTA, bad actors are like vampires counting every grain of rice because they must decrypt each unit when they get into a system rather than having unchallenged access to everything.
Most companies combine all four models for the most optimal solution, referred to as a hybrid approach to ZTA. But regardless of the approach, there is no denying that a digital transformation is an option but rather a need. Cyberattacks will only become more common and even more costly, meaning companies must bring the same agility used in business into their security architecture. With the understanding that nothing is 100% safe and by adopting a zero trust mindset, security teams will elevate the protection of the business from the customers to the employees and ultimately the bottom line.