Sometimes it feels like we run in circles in InfoSec – chasing the same ideas, but changing the name or re-defining the concepts behind the ideas. Largely, the initiatives remain the same. In cybersecurity, while the goal is seemingly simple – reduce the threat surface and protect your valuable data from exfiltration – it seems the journey to zero-trust is not.
Evolution of Trust Models – A Brief History Lesson
In the “good ole days” it was easy; everything lived behind a firewall inside the corporate network. As the business world changed to encompass remote workers, everything still lived within a controlled infrastructure and access was granted for outside users through secured virtual private network (VPN) connections. This shift in the early 2000s to allow access from outside the perimeter started a buzz around the idea of “de-perimeterization,” which the Jericho Forum was created to tackle.
The borders of the digital world expanded further with the introduction of cloud applications and services. Hybrid infrastructures meant the traditional castle and moat approach to security became antiquated and the threat surface broader. This introduced new challenges for security professionals to protect the resources of an organization. John Kindervag introduced the concept of a “zero-trust model” for information security in 2009 and defined it as an approach that assumes no traffic within an enterprise’s network is any more trustworthy by default than traffic coming in from the outside.
This model served as the building blocks for Google’s BeyondCorp, introduced in 2014, which is an implementation of a zero-trust architecture that requires securely identifying the user and device, removing trust from the network, externalizing apps and workflow, and implementing inventory-based access controls.
Today, the rise in a cloud-connected, mobile and remote workforce has put the visibility and control of users and devices firmly outside of the enterprise. The extended perimeter is now centered around user identity and their devices. To address this new reality, Gartner’s CARTAmodel – continuous adaptive risk and trust assessment – calls for a shift away from one-time, binary access decisions toward contextual, risk and trust-based decisions. This model is about giving just enough trust to users, even after authentication, to complete the action requested.
As an industry, we have been circling the horses around this notion of the shifting perimeter for years but it hasn’t seemed to gain legitimate traction within organizations. Perhaps this is due to the fact that prescribed implementations have morphed with the changing digital landscape, making it appear untenable to implement and maintain.
Now that the idea of a zero-trust approach to security has resurged in the InfoSec space, everyone seems to be offering complex models and solutions. But what problems does this approach solve? How can organizations build a zero-trust model, and where should they start? Maybe the problem is that there is uncertainty around this being the right approach to future-proof environments in this ever-changing digital landscape.
Does Zero Trust Solve New Identity Perimeter Risks?
Protecting users should be the core component of a zero-trust security strategy. Teams need the ability to verify user identities, and the trustworthiness of their devices, before granting both access to enterprise applications and data.
Compromised credentials are a prime target of attackers, allowing for easy, unprotected access due to phishing, brute-force and other password attacks. In an analysis of simulated phishing campaigns, Duo’s 2018 Trusted Access Report found that more than half (63 percent) successfully captured user credentials.
A zero-trust security approach for the extended perimeter makes it more difficult for attackers or unauthorized users to gain access to applications without meeting certain identity, device, and application-based criteria.
Brick and Mortar of the New Security Wall
This doesn’t mean that organizations have to deconstruct their existing environments or add complex layers of security to adopt this model. Solutions should enable you to protect your current investments without heavy uplift in administration and implementation. In fact, the most successful solutions should layer on top of existing infrastructures and be convenient and easy for user populations to adopt without an impact to their current workflows.
A zero-trust approach for the workforce should provide an organization with the tools to be able to evaluate and make access decisions based on specific risk-based context for any application within an environment. This can even mean layering security controls on top of existing remote access solutions that are in place today.
Bolstering Your Defenses With Trust
The goal of a zero-trust security approach is to enable security teams to be able to establish trust in users and devices accessing an organization’s assets by adding an additional layer of security. Ideally, they need an approach that balances security with usability, to ensure adoption within an organization.
Solutions need to be streamlined and user-friendly to both deploy and administer, and organizations need to create a culture of security with their users through empowerment and education. By providing tools that simulate phishing attacks and offering self-remediation options users become a part of the security team and improve the odds of a successful implementation of a new security approach.
Trusting the Future
Will establishing this security model future proof your organization? Time will certainly tell. The concept has been evolving over the years but the basic principles have remained the same. Access points – users and devices – into corporate resources need to be protected and the threat surface needs to be minimized to prevent the loss of sensitive data.
By approaching security practices with a zero-rust model enables organizations to modernize their infrastructure without introducing risk. A solution that is scalable, flexible, compliments existing solutions, and can adapt to diverse use cases will ensure successful adoption and protection.
Adopting a zero-trust security approach doesn’t have to be overwhelming. There are steps that can be taken today to establish protection on the new identity perimeter, giving organizations a layer of security that offers protection without the need to re-invent the entire infrastructure of an organization.