In 2009, Google was one of the more than 30 companies hit during a series of cyberattacks under Operation Aurora, which targeted the tech giant and other Fortune 100 companies. Google was the first to publicly attribute the attack to China.
The hackers used a zero-day vulnerability in Internet Explorer, according to McAfee. It was a flaw without a disclosed mitigation. Spear phishing and escalated access allowed the intruders to roam through victims' trade secrets.
Operation Aurora demonstrated the interconnectedness of cybersecurity and the importance of zero trust. Zero trust assumes bad actors are already in a system and promotes a bare minimum access model for users, reducing the threat service.
The attack took advantage of basic cybersecurity woes and weak identity management, one of many which shaped a decade of disastrous cyberattacks.
"This past decade sucked," said Dug Song, VP and general manager of Cisco and co-founder of Duo Security, while speaking at the Zero Trust Summit in Washington Tuesday. Malicious actors from China left blemishes all over the public and private sector in the 2010s. The Office of Personnel Management's 2015 breach was "one of the largest intelligence failures in history," said Song.
Why does zero trust seem hard
The Department of Defense has always had a segregated network, including classified, secret and top secret. Segregated networks are a vital feature of zero trust.
But there are "some really, really good hackers" that came after "what we thought were great devices" — firewalls, said retired Army LT. Gen. Alan Lynn, VP of engineering at Cisco and former director of the Defense Information Systems Agency, speaking at the summit.
After hackers targeted agency devices, the DOD adopted the "common access card" for its identity platform, which it has used for about 15 years, he said. The solution is "not always loved, but [it's] effective."
What is difficult about zero trust is how an identity is crafted, said Suzette Kent, federal CIO of the executive office of the president, while speaking at the summit. A trusted identity can be people, devices or machines. Anything on an organization's network "is the challenge now." Businesses have to understand "who is what" and why they are on a network.
CIOs and CISOs are challenged with expanding zero trust beyond traditional "unique identifiers," she said. Now they have to understand the individual's purpose of access and, when certain actions don't make sense for a user, how to immediately stop their movement.
"If you can't get your arms around identity, you're going to have an uphill fight," said Steven Hernandez, CISO of the Department of Education, while speaking at the summit. Identity includes anything that might need or want access to an organization's data.
Realizing identity can be crafted from "non-person entities" is "powerful," because it challenges the traditional thought of what identity management is, said Hernandez.
Everyone plays a role in zero trust
While zero trust is security buzzword, its properties have existed for years; it's just been shrouded by a "crazy landscape" of security solutions, said Song. There are thousands of security vendors difficult to manage and integrate.
Cybersecurity has become an experience no one enjoys, he said. "We want to frustrate our attackers, not our users."
Trusting no one, zero trust poses a different kind of workforce challenge because everyone plays a role in crafting a reliable identity, said Kent.
Hernandez told summit attendees to build a relationship with the people in charge of human capital in their organization. The security organization can use their data to understand a user's attendance, travel and performance history.
Human capital data feeds a deeper profile, "which will drive how we view [a user] interaction with the data they're trying to get to," said Hernandez.
Continuous assessment of access is an added layer to understanding user-data relationships, including the "lifecycle" of a user's access history. Having a track record of user actions or geolocations can help determine if expanded access should be granted.
"Trust engines," when fed contextual data, will eventually be able to make access decisions on their own. For example, a trust engine could flag a user accessing banking data when they typically only view environmental impact data, said Hernandez.
While developing singular profiles is an essential piece of limiting access, privacy can't be ignored. Hernandez wants to make sure privacy teams have a seat at the table too. They're "happy to do it," he said.