Zero trust is a never-ending journey, not a ready-made solution
Nearly all organizations are struggling with how to stay in control as their data migrates to the cloud and users connect from anywhere. The answer, they’ve been told, is zero trust. Zero trust starts from the premise that an organization is going to be breached so that they can then focus on minimizing any potential harm. Although well-defined as an architecture and a philosophy, it is difficult to apply these principles across your infrastructure in the real world. While you can’t buy a complete, packaged zero trust solution, you can build a solid defense strategy around zero trust concepts to secure sensitive data and enable the business and users to proceed in a safe manner.
Over the past few years, the environment to which zero trust is being applied has changed dramatically. Users are working outside the safety of traditional security perimeters, using devices and networks the organization doesn’t control. Cloud and remotely accessible infrastructure enables anyone to work and collaborate from anywhere on any device, but it is critical to ensure access is secure and centrally managed.
There are numerous elements to zero trust, notably, user (identity), endpoint, data, and risk. Rather than a ready-made solution or platform, zero trust represents a mindset, a philosophy, and ultimately a cybersecurity architecture. Aaron Cockerill, Chief Strategy Officer with endpoint and cloud security solutions provider Lookout, urges organizations to focus on what matters most: sensitive data.
“What’s happened over the last couple of years with digital transformation is that users, apps and data have left the building and are no longer within that traditional security perimeter,” says Cockerill. “Rather than simply providing remote access via virtual private networks, take the services that you had in that perimeter and put them in the cloud so that you can work in this new hybrid environment where apps are in the cloud or cloud-accessible.”
That’s the aim of Security Service Edge (SSE) solutions that provide cloud-based security components, including Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG) and Firewall as a Service (FWaaS).
“When users were in the building, the internet was filtered for them by their company to make sure that they were not clicking on malicious links and performing other non-secure activities, so part of SSE moves those services into the cloud.”
Most organizations have now adopted hundreds of SaaS apps, and each one handles authorization and access control differently. To avoid having IT become an expert in every SaaS app, centralized policy management across all cloud and SaaS apps through a CASB solution should also be top of the list for most organizations. “By centralizing data access policies IT teams can minimize workloads, simplify administration, and avoid misconfiguration that can introduce vulnerabilities.” Cockerill adds.
Finally, in the wrong hands VPNs expose large parts of your infrastructure to attack. “That’s basically a tunnel through the firewall into the soft, gooey center of any organization’s IT infrastructure, which is a nightmare from a security standpoint. Once someone connects via VPN they typically have unfettered access to adjacent apps and data, and this is where lateral movement comes into play. You need to segregate your infrastructure to prevent lateral movement.” Bad actors use lateral movement to search for systems and data that can be leveraged to extort their target. Zero trust proposes microsegmentation to address this, but ZTNA is a simpler and more modern approach.
The noise level around zero trust can be confusing for organizations trying to chart the safest course. Cockerill warns against falling for misleading claims about so-called “zero trust solutions,” and instead recommends assessing your current and desired state against an established zero trust security model, such as one drafted by the Cybersecurity & Infrastructure Security Agency (CISA).
“Implementing zero trust is a never-ending journey and the best way of establishing the right elements of technology for you to embrace in that journey is comparing yourself back to those maturity models,” says Cockerill. “There’s no silver bullet so don’t be misled by vendors telling you there is because you can’t buy it off the shelf. You need to look for vendors that acknowledge that integration with your existing infrastructure is the right approach.”
The CISA model aligns the zero-trust security model to five pillars:
- Identity
- Device
- Network/Environment
- Application Workload
- Data
According to CISA, each pillar can progress at its own pace and may be farther along than others, until cross-pillar coordination is required, allowing for a gradual evolution to zero trust.
There are endless ways to apply zero trust, so it’s important to start out with a well-thought plan. Cockerill recommends that organizations prioritize their implementation efforts according to their risk registers. “I would prioritize, maybe even over-correct towards the protection of data to stop your data from being stolen” he adds. “Zero trust represents our best approach to the battle against cyber attackers, but it shouldn’t be considered a panacea. It’s virtually impossible to deploy controls across everything, so it’s critical to assess the risks involving the organization’s most sensitive data and start the zero-trust implementation there.”