The cloud blew up the idea of a secure perimeter, obliterating traditional — even archaic — security strategies companies find false comfort in.
Rethinking security made way for zero trust, a framework that operates under the assumption an organization has already been compromised, as defined by Forrester. Companies control who talks to who and when.
Never trust, always verify.
Zero trust isn't about identity. If it were, Edward Snowden's whistleblower campaign wouldn't have happened, according to John Kindervag, field CTO at Palo Alto Networks while speaking at a Forrester event in National Harbor, Maryland last month.
"Zero trust is the world's cybersecurity strategy," said Kindervag, the so-called "godfather" of zero trust. There are five steps to adopting a zero trust framework:
- Define the potential attack surface that needs protection and reduce it to its smallest possible size. The surface can be categorized by DAAS: data, assets, applications and services.
- Map where transactions flow.
- Build zero trust architecture, which will show where the controls need to go. Protect the attack surface surrounded using a micro-perimeter policy, segmentation gateway and then policy management.
- Create the policy that articulates the who, what, where, when, why and how of traffic. A zero trust policy will be able to decide who can pass the micro-perimeter.
- Monitor and maintain the zero trust architecture for "an anti-fragile system."
Zero trust is abstracted from overall infrastructure by asking, "Why am I segmenting these elements?" Finding that granularity guides the policy creation.
"I don't want to boil a pot of water, I want to boil a thimble," said Chase Cunningham, principal analyst at Forrester, while speaking at the Forrester event.
What tools are needed
Because zero trust isn't a tool, technology or software, deploying it begins with existing solutions.
"Most often the issues that people have with it is not the benefits of the strategic approach to fixing cybersecurity, it is the words 'zero' and 'trust,'" Cunningham told CIO Dive. "Most often that is where they bristle at the cultural side of adopting something that basically says to people 'I don't trust you.'"
While discomfort is understandable, it's a "weak reason" to avoid zero trust, he said.
Zero trust does come with some cost, even if it's not monetary.
A successful iteration of zero trust requires "whitelisting" connections because by design and default, every transaction is denied, Andy Wright, VP of marketing at Tigera, told CIO Dive.
While whitelisting isn't a new concept, the complexity that underlies it in a traditional infrastructure has delayed mass adoption, according to Wright. Existing whitelisting tools can be used to replicate elements of zero trust, but it impacts application deployment and updates.
"In a whitelist environment, every change will require a ticket to open up the connection through a firewall. Those change requests generally take several weeks, or months," said Wright.
But Kubernetes — a fundamental tool for developers and system architects — can be an easy entry point for zero trust, according to Wright. While Kubernetes isn't necessary to pursue a zero trust architecture, it can serve as an entry point to an intent-based infrastructure, or a model for improving network availability and agility.
In other words, "you tell Kubernetes what you want, and it makes it so," said Wright.
Passwords get a facelift
Zero trust is open to manipulation to fit an existing security strategy, depending on the maturity of a business. A heavily regulated company, which has "been steeped in cyber for a long time," is likely more inclined to focus on data security, according to Cunningham.
Novice organizations should dial in on their authentication practices and passwords.
As history demonstrates, compromised passwords are the calling card of some of the most infamous data breaches.
Hackers cracked passwords from a third-party vendor and lived inside Home Depot's network between April and September 2014. In 2016 Uber's Github was hacked. The bad actors were able to find and steal the username and passwords for Uber's AWS account, information that should never have been on Github to begin with.
While passwords will always be relevant, Cunningham predicts that with self-sovereign identity and biometrics combined with virtualization, "we will see the end of these outdated solutions."
But addressing a change in passwords, a staple of traditional security, takes cultural change. "If you're telling me your culture can't turn on two-factor authentication, then you have a bigger problem," said Cunningham.
A single password shouldn't be enough to gain access with zero trust, and if it is, all network traffic should be encrypted. "This helps avoid the man-in-the-middle attack," said Wright.
Furthering the concept of stricter access requirements is adopting a least privilege model where users have the bare minimum, limiting the radius when a service is infected, said Wright. The controls are then enforced throughout several layers of the IT stack.
If an application is compromised, "you can evaluate the security policies at the application as well as the host before allowing access," he said.