cso spotlight: zero trust

What is zero trust? A model for more effective security

The technologies that support zero trust are moving into the mainstream. Here's why security experts say it might be the best way to stop data breaches.

cso spotlight: zero trust

Show More

The original Zero Trust Network, or Zero Trust Architecture, model was created in 2010 by John Kindervag, who at the time was a principal analyst at Forrester Research.

Now, seven years later, CIOs, CISOs and other corporate executives are increasingly implementing zero trust as the technologies that support it move into the mainstream, as the pressure to protect enterprise systems and data grows significantly, and as attacks become more sophisticated.

“If I have 20 calls, 17 are about zero trust. CISOs, CIOs and CEOs are all interested, and companies of various sizes are interested,” says Chase Cunningham, a principal analyst at Forrester. “And in three years, I think zero trust will be cited as one of the big-time frameworks in cyber security. Period.”

What is zero trust?

Zero trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.

“The strategy around zero trust boils down to don’t trust anyone. We’re talking about, ‘Let’s cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc. until you know who that user is and whether they’re authorized,’” says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass.

Why zero trust? Consider these statistics:

The 2017 Annual Cybercrime Report from Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.

Meanwhile, the 2017 Data Breach Study, conducted by Ponemon Institute and sponsored by IBM, found that the global average cost of a data breach is $3.6 million. Although that figure is down from the prior year’s number, the study found that the average size of the data breaches increased 1.8 percent to more than 24,000 records.

[ Related: The 16 biggest data breaches of the 21st century ]

These figures come despite organizations spending more and more on their cyber security efforts. Gartner Inc., a tech research and advisory firm, pegged worldwide spending on information security products and services at $86.4 billion in 2017, up 7 percent over 2016. Gartner predicts spending will hit $93 billion in 2018.

Recognizing that existing approaches aren’t doing enough, enterprise leaders are searching for something better — and are finding that the zero trust model can deliver the best results, Cunningham says.

Gero agrees, saying “If you want to stop breaches, zero trust is the best way how.”

Security for a new world

The zero trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn’t pose a threat and therefore was cleared for access.

Security and technology experts say the castle-and-moat approach isn’t working. They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance.

“One of the inherent problems we have in IT is we let too many things run way too openly with too many default connections. We essentially trust way too much,” Cunningham says. “That’s why the internet took off — because everyone could share everything all the time. But it’s also a key fail point: If you trust everything, then you don’t have a chance of changing anything security wise.”

Bad actors and malicious threats aren’t the only factors driving this new model.

Experts say that today’s enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don’t have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users — employees, partners, customers — accessing applications from a range of devices from multiple locations and even potentially from around the globe.

“All these macro changes have led to this new model. It’s led to the question, ‘How do we secure ourselves in this new model?’” says Bill Mann, senior vice president of products and chief product officer at Centrify Corp., a supplier of identity and access management (IAM) and privileged identity management (PIM) solutions located in Santa Clara, Calif.

He adds: “So in this new world the new firewall is close to the asset you’re trying to protect.”

The technologies behind zero trust

The zero trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment.

It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise.

“It’s, “No. 1, let’s understand who the user is. Let’s really make sure this is [for example] Bill and let’s make sure we understand what endpoint Bill is coming from — is it a known secure endpoint and what is the security status of that endpoint? And now let’s have a conditional policy, a policy [specifying] someone can have access to something,” Mann explains.

To do this, zero trust draws on technologies such as multifactor authentication, IAM, orchestration, analytics, encryption, scoring and file system permissions. Zero trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.

Cunningham says he thinks of zero trust as organizations taking back control of the battlefield.

“Let’s take network segmentation and next-gen firewalls and put them down in segments and control who, what, where and when someone connects,” he says. “So we design from inside the network out vs. outside in.”

As is the case with IT in general these days, zero trust “is not just technology; it’s about process and mindset as well,” Mann adds.

Getting started with zero trust

A number of enterprise IT shops are already doing many pieces of zero trust, experts say. They often have multifactor authentication, IAM, and permissioning in place. They’re also increasingly implementing micro-segmentation in parts of their environment.

Yet developing a zero trust environment isn’t just about implementing these individual technologies. Instead, Cunningham, Gero and Mann say, it’s about using these and other technologies to enforce the idea that no one and nothing has access until they’ve proven they should be trusted.

“You’re going to decide strategically that this helps me and you start buying technology to put in place that allows you to achieve that goal,” Cunningham says.

He notes: “The real landmine is to try to throw technology at the strategy and hope you got it right. It’s better to embrace the strategy and then leverage technology iteratively.”

Not surprisingly, organizations will find that getting to zero trust is not an overnight accomplishment. Nor will it be easy, particularly if they have legacy systems that don’t transition well to this new model, Cunningham says.

“Many companies are moving to cloud and, thus, green field environments. Those are the perfect places to go to zero trust. There’s where you start your zero trust journey,” he says, explaining that organizations, particularly larger ones with complex IT environments and legacy systems, should see the move to zero trust as a multiphase, multiyear project.

Another challenge in moving to zero trust is getting staff to think in this new way, Mann says.

“Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments. Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment,” he explains.

Organizations also need to understand that zero trust requires ongoing effort (as does any other successful IT or security protocol) and that certain pieces of the zero trust effort may create more challenges than others, according to experts.

For instance, Gero points out the ongoing work that come with micro-segmentation, where teams must be sure to configure changes properly and update changing IP data to ensure there’s no interruption in the access required for employee work or corporate transactions. Otherwise, organizations could be dealing with a work stoppage.

“A lot of companies are thinking, ‘If I get malware and it stops me from doing business and if I have a misconfiguration that stops me for a day, those are both bad,’” Gero says, adding that the ongoing work required with the micro-segmentation approach could lead to “a lot of Band-Aids and that can make networks more brittle.”

As a result of the complexities of applying zero trust to legacy and existing environments overall, companies really haven’t been able to fully implement this model, says Kieran Norton, a principal in the Cyber Risk Services practice within Deloitte Risk and Financial Advisory.

So Norton says he advises organizations to build zero trust “by design, not by retrofit.” In other words, they should pursue the zero trust model as part of their overall digital transformation strategy, implementing the technologies that can help them achieve zero trust as they move more to the cloud and thus retire old legacy systems.

Moreover, Norton says the move to zero trust should involve the CISO, the CIO and others in the executive tier so they can prioritize what moves to this model and which pieces of their environment can wait.

“I think about this as infrastructure transformation,” he adds. “Information security hasn’t kept pace with this digital transformation/modernized environment. But you have to transform how you manage security. You want to think about ubiquitous security, you want to be predictive, so you really need to be thinking about it differently.”

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)