How zero trust protects your company: inside and out

What if you can’t trust anyone in or outside your network? Can you still be secure? With the zero trust model, you can.

Remember when you could assume that it was safe inside your network behind the firewall? Those sweet days of IT innocence are long gone. 

The traditional castle-and-moat security model where users, once inside the firewall, were automatically trusted has long been outdated. For example, OneLogin, an identity and access management firm, found in a new study on passwords and the shift to remote work due to coronavirus that nearly one in five remote workers have shared their work device password with someone in their family. And, those are only the ones who admitted to it.

Adam Stern, CEO and founder of cloud-service provider, Infinitely Virtual, pointed out that many common attacks, such as ransomware, are the “products of inside-out attacks. that is, actions by unsophisticated employees from within the “moat/gate/wall” paradigm, one that assumes everything inside the moat is safe while everything outside is at risk. The Trojan-horse style attacks, thanks to phishing, have become commonplace.

Ten years ago, John Kindervag, former Forrester Research principal analyst, currently Palo Alto Networks field CTO, saw a need for a new security model: zero trust. He pointed out, there really isn’t an inside or outside the firewall in today’s IT world. Indeed, the very concept of trust and trusted systems is flawed. Or, as Kindervag put it, “Trust is a vulnerability. It provides no value to an organization, so we need to mitigate trust, just like any other vulnerability, and control access on a need-to-know basis.”

Even now that seems like a radical idea. But it’s an idea that’s gathered momentum in IT circles. Zero trust is even now on its way to becoming a National Institute of Standards and Technology (NIST) standard. And, with the coronavirus pandemic moving workers from offices to their homes, it may be an idea whose time has come.

As Lenny Zeltser, CISO at Axonius, a cloud asset management company, said, “COVID-19 has forced enterprises to transition to a distributed, remote workforce almost overnight. And when rushing to support this type of workforce, security leaders have had to make in-the-moment decisions related to risks that usually would take months, if not years to address, regarding areas such as network trust, perimeter, outside apps and infrastructure, and visibility into major aspects of IT operations.”

Therefore, Zeltser continued, companies should consider “using zero trust principles as guidelines to evaluate the current state of your crisis-induced cybersecurity program. It narrows the sphere of trust from large networks protected by a perimeter to components, such as endpoints and users.” He concluded, “The architecture was actually developed in response to enterprise trends such as remote users and cloud-based assets, so even if you weren’t sure how to begin your journey toward zero trust, COVID-19 is likely forcing you to advance down this path.”

So what is zero trust?

Let’s start with zero trust’s basic tenet: Trust no one. There are attackers both inside or outside your network. No users nor systems should ever be automatically trusted. By so doing, you eliminate many of the attack vectors bad actors use every day to grab passwords, steal data, install ransomware, and all those other things that make IT life a misery.

So, if you can’t trust anyone or anything what do you use instead? I mean it all sounds very dramatic, but you have to trust someone sometime right? Well, not really. In the zero trust model, you never trust, but always verify.

You verify that any user, program, or system has the right to access a “protect surface,” that is, your network’s most critical and valuable data, assets, applications and services (DAAS). These vary from company to company, but these can all be identified. If you can’t, you really need to sit back and take a long hard look at what’s really important in your IT system and what’s not.

Once you’ve worked out your protect surface, you identify how your network traffic is interacting with it. This includes: Who the users are; what applications they’re using; and how they’re connecting with it. Then, armed with this information, you determine their interactions. With this you’re ready to create a policy, which will ensure secure access to your data.

You do this using several techniques:

Microperimeter. Each protect surface, say for a database, has its own small security perimeter. Each database or filesystem is given its own small perimeter. These are created and maintained by a segmentation gateway, aka a next-generation firewall. Only known, allowed traffic for legitimate applications are allowed through to the protect surface. This is done at the Layer 7, application-level, of the network.

These micro-firewall rules are determined by the Kipling Method. That is to say, zero trust policy is based on who, what, when, where, why and how of every network interaction. So, Joe may have access to one particular database using a specific application, but be blocked from another database on the same server even though he’s using the same program. In short, zero trust consists of very granular rules for each unique combination of user, application and resource.

Least-privilege access. So, it should come as no surprise that zero trust relies on a need-to-know, least-privilege access model. Each user and application are given the minimum amount of access they need to get their work done. No less, and never, ever, more.

Multi-factor authentication (MFA) is also essential to zero trust security. Unlike the MFA you use with Facebook, which requires your password and a PIN to see what Aunt Tootsie is up to, in zero trust each user and device must be authorized by MFA to access a resource’s protect surface.

Putting this together isn’t easy. Marc Rogers, executive director of cybersecurity at Okta, a cloud-based identity and access management company, said, “The zero trust journey has been a roller-coaster ride. It took a while for the concept to both be widely accepted and for the various ideas of what it would look like to become aligned.”

Along the way, Rogers added, there have been “Partial implementations that either cut corners or have weak links in the chain lead to unfortunate incidents, and there have been several notable breaches as a result of this. On the flip side, the companies that have implemented strong cloud-based zero trust architectures already, have had an easier time adapting to a new way of working due to the current pandemic.”

Stern observed that “zero trust is a mindset, not a checkbox or a product. It’s an ongoing methodology for use in any number of IT decisions and scenarios, from internal audits to technology selection, day in and day out – forever. It’s an integral element of an overarching security model and, as such, has much more to do with process than with product.”

Charles Eagan, BlackBerry’s CTO, agreed. “zero trust is not a single product, but rather, it is a dynamic solution that continues to evolve as it learns from user behaviors and as your environment changes with new users, new devices, new applications and new technologies.” BlackBerry uses zero trust in its BlackBerry Spark, its secure communications platform

Zero trust in the field

Many companies are deploying zero trust successfully. Bryan Willett, Lexmark’s CISO, said, “Lexmark began incorporating the zero trust architecture across our infrastructure in 2016 and it’s now implemented throughout our environment, from on-premises to cloud, from development to manufacturing, and from work-at-home to work-on-site.”

“Today, every device must be registered and compliant before it can join the Lexmark network; all file requests, database queries, and print commands are checked thoroughly to ensure the requestor has the proper privileges; and we validate the identity of all users through multi-factor authentication. Bottom line: We make no assumptions or exceptions when it comes to these zero trust rules.”

As a result, “Like many businesses, our employees have been working from home during COVID-19 and we have seen an increase in phishing. When we’ve had employees fall victim to it, the protections we’ve gained from zero trust principles, like multi-factor authentication of users and workstations, on our VPN, our cloud applications, and our business applications have been invaluable in thwarting the hackers’ efforts.”

Mike Wolkowicz, VP of security for Americas at BT, formerly British Telecom, said,  “Our experience with customers has shown that a complete zero trust architecture can potentially reduce up to 94% of current attack vectors in use today, minimizing the potential for compromise.” So, naturally, “We recommend our customers transition to a zero-trust model. This has become the security standard, and we use this strategy across our global BT employee network as well.”

Is it easy to move to zero trust? No, not really. There are many companies out there ready to help you, but it’s a fundamental shift in how you approach security. It won’t come to you easily and it’s going to take time.

The real question is: Is it worth it? The answer’s yes. With security threats coming at your right and left, from within your network and without, you need a new, stronger security model and that’s zero trust.

Read more on zero trust:

• What it takes to build a zero trust network
• 5 steps toward real zero trust security
• Sorting zero-trust hype from reality
• How ABM built a cohesive security program around zero trust