The Foundations of Zero-Trust for your Organisational Cybersecurity Strategy

 By: Marlon Nair

1.   Introduction

Having gained a lot of attention over the past few years, “Zero Trust” has ensured that Information Security Architectures are unable to keep pace with the threat landscape posed by internal and external actors. This statement becomes more relevant when one reviews the breach reports across the various industrial sectors. These reports indicate to us as security professionals that what we may be doing, may not be working.

I therefore pose the following question:

Do we need a new fresh approach, or do we need a holistic approach utilizing current security best practices that secures the trust of data flow from source to destination?

2.   What is Zero Trust?

“Zero Trust” as a concept is focused on an organization not trusting by default any access to data both from inside and outside its perimeters. Instead mechanisms must be in place to identify and then verify every activity or query attempting to connect with its systems before access is granted.

Alternatively;

A “Zero Trust” security model requires identification and verification of each user or device attempting access to resources within a private network, from within or outside of the perimeter.

We are basically saying that “Zero Trust”; cuts all access to the network resources until we know who the actor is and if they are authorized to access the resource.

3.   Why are we at Zero Trust?

Honourable mention must go to the current Covid pandemic, as it has forced us to rethink our strategies and pushed us out of our comfort zones. However, we must focus holistically and look at the business risks that are overarching.

3.1 Breaches

While a CISO may not be requested to leave after a breach, senior IT employees have been laid off after large enterprises have experienced a breach. Data breaches are common after a security incident and there are many that resulted in the senior IT Security leader losing their jobs. IT executives losing their jobs is one thing, however customers and users losing their personal information and the possible post ramifications are insurmountable.

3.2 Business Drivers of Zero Trust

Apart from data breaches, the business organization is transforming in the global economy, relying on connectivity to expand their markets and grow their customer base. It is expected that the corporate network is connected to vendors, partners and customers across varying geographies utilizing a multitude of devices.

3.2.1       Move to the Cloud

Business processes and applications are moving out of the secure data centres and in to the cloud as it becomes possible to implement on next generation technologies at a faster pace. This rapid pace results in data, users, devices and applications residing outside the secure perimeter quicker than security controls can keep up. The perimeter therefore no longer exists.

3.2.2       Digital Transformation

Digitizing all aspects of the business on next generation technologies is fast gaining pace. Huge investments in technology will place strain on the security processes and security infrastructure. An attack surface that is growing exponentially will require the ingenuity of security professionals.

3.2.3       Increasing Sophisticated Attacks

The increasing attack surface combined with the weakening perimeter provides for an ideal environment for sophisticated malware that is not only delivered via traditional methods of email but through self-propagating methods. These types of malware with worming and morphing capabilities only require an unpatched device in order to persist for years.

4.     Foundations for Zero Trust

At the beginning of this paper I posed the question:

Do we need a new fresh approach, or do we need a holistic approach utilizing current security best practices that secures the trust of data flow from source to destination?

Security strategies should be built around the need for the usage of a multitude of devices, external data sources, varying user access levels and types of users, the internet of things and access at the edge. In such an environment the network and the threats are constantly in motion as is the business and its evolving demands on security and technology. Meeting that business need requires that we as security professionals ensure that data is accessible by the right processes and people for the progression of business.

4.1 Understanding the AS-IS Landscape

The first step is to take stock of the current technology and business landscape. First seek to understand, document and layout the building blocks of the current business processes, the underpinning technologies and most importantly the current security controls and technologies already in place. One may not make changes, without first understanding the impact of those changes. On understanding the AS-IS landscape the attack surface is clearly articulated. Furthermore, the possibility of re-use and re-configure will come to the fore on having a detailed understanding.

4.2 Understanding the Information Assets

Understanding the business processing of its data, the sources of data, mapping the transaction flows of data as well as the Who, the What, the When, the Why and the How data is consumed further articulates and clarifies the potential attack surface that requires protection. It is data after all that is the target of a breach. The reality is that no organization has all its data in one place. Information is spread from the internal data centre, to outsourced disaster recovery sites as well as to Cloud and SaaS services.

4.3 Network Segmentation

Practicing segmentation within the corporate network, should be an ongoing activity. However, we may tend to do it only at the perimeter, DMZ and gateway levels. Implicitly trusting the internal environment and it’s connected devices is an attitude and principle that must change for Zero Trust to be successful. The application of Micro segmentation within the network, that results in breaking up the environment into smaller security zones, thus enforcing separation of access to differing parts should continuously be taking place.

4.4 Identity and Access Management

Focusing on the theme that insider threat is more relevant than the external one, an attacker will always attempt lateral movement within a network through compromising user credentials. Therefore, it would be extremely relevant to get a hold of your Identity and Access Management (IAM) program, ensuring it is attentively focused, adequately resourced and is delivering tangible value. Too often IAM is a monolithic, multi-year project that is consuming vast amounts of the security budget but with little value shown. At its heart IAM must deliver, the principles of Least Privilege, Segregation of Duties, Continuous Identity Lifecycle Management as well ensuring that Multi-Factor authentication is a standard at the access point. 

4.5 Security Operations

The security operations environment would need to evolve from a generally reactive to proactive way of working. Ensuring network micro segmentation as well as maturing IAM, ensures a lot more data points to protect as well as volumes of data in the form of security logs. Adequately resourcing the SIEM to host and analyse these logs as well as deep visibility and analytics encompassing advanced threat detection and response utilizing current processes and technologies as well as next generation technologies such as artificial intelligence becomes more relevant.

5.     Conclusion

In answering the question:

Do we need a new fresh approach, or do we need a holistic approach?

By leveraging of current governance, people, process, technology and data, applying a holistic solution that encompasses user access, device control, micro segmentation, visibility and deep analytics as well as critical thinking, the foundations of Zero Trust are already embedded within our environments. As security professionals and leaders, in a constrained business economy and shrinking budgets, we are required to be more innovative and consider re-use before considering new theories. The foundational building blocks for Zero Trust is within our grasp.